Merge pull request #1846 from andrewhsu/v

update vndr docker/docker ac48309 and related packages
update vndr coreos/etcd d57e8b8
2019-04-24 21:43:12 +02:00 · 2019-04-24 18:29:33 +00:00 · 2019-04-24 18:26:58 +00:00 · 2019-04-24 18:24:26 +00:00 · 2019-04-24 18:14:51 +00:00 · 2019-04-24 18:10:45 +00:00
241 changed files with 6488 additions and 2970 deletions
--- a/appveyor.yml
+++ b/appveyor.yml
@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli

 environment:
  GOPATH: c:\gopath
-  GOVERSION: 1.12.1
+  GOVERSION: 1.12.4
  DEPVERSION: v0.4.1

 install:
@ -20,4 +20,4 @@ build_script:
  - ps: .\scripts\make.ps1 -Binary

 test_script:
-  - ps: .\scripts\make.ps1 -TestUnit
+  - ps: .\scripts\make.ps1 -TestUnit
--- a/cli-plugins/manager/manager.go
+++ b/cli-plugins/manager/manager.go
@ -164,6 +164,7 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command
 			return nil, err
 		}
 		if plugin.Err != nil {
+			// TODO: why are we not returning plugin.Err?
 			return nil, errPluginNotFound(name)
 		}
 		cmd := exec.Command(plugin.Path, args...)
--- a/cli/command/builder/cmd.go
+++ b/cli/command/builder/cmd.go
@ -5,6 +5,7 @@ import (

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image"
 )

 // NewBuilderCommand returns a cobra command for `builder` subcommands
@ -18,6 +19,7 @@ func NewBuilderCommand(dockerCli command.Cli) *cobra.Command {
 	}
 	cmd.AddCommand(
 		NewPruneCommand(dockerCli),
+		image.NewBuildCommand(dockerCli),
 	)
 	return cmd
 }
--- a/cli/command/cli.go
+++ b/cli/command/cli.go
@ -290,8 +290,8 @@ func newAPIClientFromEndpoint(ep docker.Endpoint, configFile *configfile.ConfigF
 	return client.NewClientWithOpts(clientOpts...)
 }

-func resolveDockerEndpoint(s store.Store, contextName string) (docker.Endpoint, error) {
-	ctxMeta, err := s.GetContextMetadata(contextName)
+func resolveDockerEndpoint(s store.Reader, contextName string) (docker.Endpoint, error) {
+	ctxMeta, err := s.GetMetadata(contextName)
 	if err != nil {
 		return docker.Endpoint{}, err
 	}
@ -399,7 +399,7 @@ func (cli *DockerCli) CurrentContext() string {
 // StackOrchestrator resolves which stack orchestrator is in use
 func (cli *DockerCli) StackOrchestrator(flagValue string) (Orchestrator, error) {
 	currentContext := cli.CurrentContext()
-	ctxRaw, err := cli.ContextStore().GetContextMetadata(currentContext)
+	ctxRaw, err := cli.ContextStore().GetMetadata(currentContext)
 	if store.IsErrContextDoesNotExist(err) {
 		// case where the currentContext has been removed (CLI behavior is to fallback to using DOCKER_HOST based resolution)
 		return GetStackOrchestrator(flagValue, "", cli.ConfigFile().StackOrchestrator, cli.Err())
@ -500,7 +500,7 @@ func UserAgent() string {
 // - if DOCKER_CONTEXT is set, use this value
 // - if Config file has a globally set "CurrentContext", use this value
 // - fallbacks to default HOST, uses TLS config from flags/env vars
-func resolveContextName(opts *cliflags.CommonOptions, config *configfile.ConfigFile, contextstore store.Store) (string, error) {
+func resolveContextName(opts *cliflags.CommonOptions, config *configfile.ConfigFile, contextstore store.Reader) (string, error) {
 	if opts.Context != "" && len(opts.Hosts) > 0 {
 		return "", errors.New("Conflicting options: either specify --host or --context, not both")
 	}
@ -517,7 +517,7 @@ func resolveContextName(opts *cliflags.CommonOptions, config *configfile.ConfigF
 		return ctxName, nil
 	}
 	if config != nil && config.CurrentContext != "" {
-		_, err := contextstore.GetContextMetadata(config.CurrentContext)
+		_, err := contextstore.GetMetadata(config.CurrentContext)
 		if store.IsErrContextDoesNotExist(err) {
 			return "", errors.Errorf("Current context %q is not found on the file system, please check your config file at %s", config.CurrentContext, config.Filename)
 		}
--- a/cli/command/container/opts.go
+++ b/cli/command/container/opts.go
@ -485,6 +485,8 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		return nil, err
 	}

+	securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(securityOpts)
+
 	storageOpts, err := parseStorageOpts(copts.storageOpt.GetAll())
 	if err != nil {
 		return nil, err
@ -635,6 +637,8 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		Sysctls:        copts.sysctls.GetAll(),
 		Runtime:        copts.runtime,
 		Mounts:         mounts,
+		MaskedPaths:    maskedPaths,
+		ReadonlyPaths:  readonlyPaths,
 	}

 	if copts.autoRemove && !hostConfig.RestartPolicy.IsNone() {
@ -825,6 +829,25 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
 	return securityOpts, nil
 }

+// parseSystemPaths checks if `systempaths=unconfined` security option is set,
+// and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated
+// list of security options is returned with this option removed, because the
+// `unconfined` option is handled client-side, and should not be sent to the
+// daemon.
+func parseSystemPaths(securityOpts []string) (filtered, maskedPaths, readonlyPaths []string) {
+	filtered = securityOpts[:0]
+	for _, opt := range securityOpts {
+		if opt == "systempaths=unconfined" {
+			maskedPaths = []string{}
+			readonlyPaths = []string{}
+		} else {
+			filtered = append(filtered, opt)
+		}
+	}
+
+	return filtered, maskedPaths, readonlyPaths
+}
+
 // parses storage options per container into a map
 func parseStorageOpts(storageOpts []string) (map[string]string, error) {
 	m := make(map[string]string)
--- a/cli/command/container/opts_test.go
+++ b/cli/command/container/opts_test.go
@ -800,3 +800,57 @@ func TestValidateDevice(t *testing.T) {
 		}
 	}
 }
+
+func TestParseSystemPaths(t *testing.T) {
+	tests := []struct {
+		doc                       string
+		in, out, masked, readonly []string
+	}{
+		{
+			doc: "not set",
+			in:  []string{},
+			out: []string{},
+		},
+		{
+			doc: "not set, preserve other options",
+			in: []string{
+				"seccomp=unconfined",
+				"apparmor=unconfined",
+				"label=user:USER",
+				"foo=bar",
+			},
+			out: []string{
+				"seccomp=unconfined",
+				"apparmor=unconfined",
+				"label=user:USER",
+				"foo=bar",
+			},
+		},
+		{
+			doc:      "unconfined",
+			in:       []string{"systempaths=unconfined"},
+			out:      []string{},
+			masked:   []string{},
+			readonly: []string{},
+		},
+		{
+			doc:      "unconfined and other options",
+			in:       []string{"foo=bar", "bar=baz", "systempaths=unconfined"},
+			out:      []string{"foo=bar", "bar=baz"},
+			masked:   []string{},
+			readonly: []string{},
+		},
+		{
+			doc: "unknown option",
+			in:  []string{"foo=bar", "systempaths=unknown", "bar=baz"},
+			out: []string{"foo=bar", "systempaths=unknown", "bar=baz"},
+		},
+	}
+
+	for _, tc := range tests {
+		securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(tc.in)
+		assert.DeepEqual(t, securityOpts, tc.out)
+		assert.DeepEqual(t, maskedPaths, tc.masked)
+		assert.DeepEqual(t, readonlyPaths, tc.readonly)
+	}
+}
--- a/cli/command/context.go
+++ b/cli/command/context.go
@ -13,7 +13,7 @@ type DockerContext struct {
 }

 // GetDockerContext extracts metadata from stored context metadata
-func GetDockerContext(storeMetadata store.ContextMetadata) (DockerContext, error) {
+func GetDockerContext(storeMetadata store.Metadata) (DockerContext, error) {
 	if storeMetadata.Metadata == nil {
 		// can happen if we save endpoints before assigning a context metadata
 		// it is totally valid, and we should return a default initialized value
--- a/cli/command/context/create.go
+++ b/cli/command/context/create.go
@ -21,6 +21,7 @@ type CreateOptions struct {
 	DefaultStackOrchestrator string
 	Docker                   map[string]string
 	Kubernetes               map[string]string
+	From                     string
 }

 func longCreateDescription() string {
@ -63,6 +64,7 @@ func newCreateCommand(dockerCli command.Cli) *cobra.Command {
 		"Default orchestrator for stack operations to use with this context (swarm|kubernetes|all)")
 	flags.StringToStringVar(&opts.Docker, "docker", nil, "set the docker endpoint")
 	flags.StringToStringVar(&opts.Kubernetes, "kubernetes", nil, "set the kubernetes endpoint")
+	flags.StringVar(&opts.From, "from", "", "create context from a named context")
 	return cmd
 }

@ -76,17 +78,20 @@ func RunCreate(cli command.Cli, o *CreateOptions) error {
 	if err != nil {
 		return errors.Wrap(err, "unable to parse default-stack-orchestrator")
 	}
-	contextMetadata := store.ContextMetadata{
-		Endpoints: make(map[string]interface{}),
-		Metadata: command.DockerContext{
-			Description:       o.Description,
-			StackOrchestrator: stackOrchestrator,
-		},
-		Name: o.Name,
+	if o.From == "" && o.Docker == nil && o.Kubernetes == nil {
+		return createFromExistingContext(s, cli.CurrentContext(), stackOrchestrator, o)
 	}
+	if o.From != "" {
+		return createFromExistingContext(s, o.From, stackOrchestrator, o)
+	}
+	return createNewContext(o, stackOrchestrator, cli, s)
+}
+
+func createNewContext(o *CreateOptions, stackOrchestrator command.Orchestrator, cli command.Cli, s store.Writer) error {
 	if o.Docker == nil {
 		return errors.New("docker endpoint configuration is required")
 	}
+	contextMetadata := newContextMetadata(stackOrchestrator, o)
 	contextTLSData := store.ContextTLSData{
 		Endpoints: make(map[string]store.EndpointTLSData),
 	}
@ -116,10 +121,10 @@ func RunCreate(cli command.Cli, o *CreateOptions) error {
 	if err := validateEndpointsAndOrchestrator(contextMetadata); err != nil {
 		return err
 	}
-	if err := s.CreateOrUpdateContext(contextMetadata); err != nil {
+	if err := s.CreateOrUpdate(contextMetadata); err != nil {
 		return err
 	}
-	if err := s.ResetContextTLSMaterial(o.Name, &contextTLSData); err != nil {
+	if err := s.ResetTLSMaterial(o.Name, &contextTLSData); err != nil {
 		return err
 	}
 	fmt.Fprintln(cli.Out(), o.Name)
@ -127,11 +132,11 @@ func RunCreate(cli command.Cli, o *CreateOptions) error {
 	return nil
 }

-func checkContextNameForCreation(s store.Store, name string) error {
+func checkContextNameForCreation(s store.Reader, name string) error {
 	if err := validateContextName(name); err != nil {
 		return err
 	}
-	if _, err := s.GetContextMetadata(name); !store.IsErrContextDoesNotExist(err) {
+	if _, err := s.GetMetadata(name); !store.IsErrContextDoesNotExist(err) {
 		if err != nil {
 			return errors.Wrap(err, "error while getting existing contexts")
 		}
@ -139,3 +144,52 @@ func checkContextNameForCreation(s store.Store, name string) error {
 	}
 	return nil
 }
+
+func createFromExistingContext(s store.ReaderWriter, fromContextName string, stackOrchestrator command.Orchestrator, o *CreateOptions) error {
+	if len(o.Docker) != 0 || len(o.Kubernetes) != 0 {
+		return errors.New("cannot use --docker or --kubernetes flags when --from is set")
+	}
+	reader := store.Export(fromContextName, &descriptionAndOrchestratorStoreDecorator{
+		Reader:       s,
+		description:  o.Description,
+		orchestrator: stackOrchestrator,
+	})
+	defer reader.Close()
+	return store.Import(o.Name, s, reader)
+}
+
+type descriptionAndOrchestratorStoreDecorator struct {
+	store.Reader
+	description  string
+	orchestrator command.Orchestrator
+}
+
+func (d *descriptionAndOrchestratorStoreDecorator) GetMetadata(name string) (store.Metadata, error) {
+	c, err := d.Reader.GetMetadata(name)
+	if err != nil {
+		return c, err
+	}
+	typedContext, err := command.GetDockerContext(c)
+	if err != nil {
+		return c, err
+	}
+	if d.description != "" {
+		typedContext.Description = d.description
+	}
+	if d.orchestrator != command.Orchestrator("") {
+		typedContext.StackOrchestrator = d.orchestrator
+	}
+	c.Metadata = typedContext
+	return c, nil
+}
+
+func newContextMetadata(stackOrchestrator command.Orchestrator, o *CreateOptions) store.Metadata {
+	return store.Metadata{
+		Endpoints: make(map[string]interface{}),
+		Metadata: command.DockerContext{
+			Description:       o.Description,
+			StackOrchestrator: stackOrchestrator,
+		},
+		Name: o.Name,
+	}
+}
--- a/cli/command/context/create_test.go
+++ b/cli/command/context/create_test.go
@ -27,7 +27,7 @@ func makeFakeCli(t *testing.T, opts ...func(*test.FakeCli)) (*test.FakeCli, func
 		Store: store.New(dir, storeConfig),
 		Resolver: func() (*command.DefaultContext, error) {
 			return &command.DefaultContext{
-				Meta: store.ContextMetadata{
+				Meta: store.Metadata{
 					Endpoints: map[string]interface{}{
 						docker.DockerEndpoint: docker.EndpointMeta{
 							Host: "unix:///var/run/docker.sock",
@ -63,7 +63,7 @@ func withCliConfig(configFile *configfile.ConfigFile) func(*test.FakeCli) {
 func TestCreateInvalids(t *testing.T) {
 	cli, cleanup := makeFakeCli(t)
 	defer cleanup()
-	assert.NilError(t, cli.ContextStore().CreateOrUpdateContext(store.ContextMetadata{Name: "existing-context"}))
+	assert.NilError(t, cli.ContextStore().CreateOrUpdate(store.Metadata{Name: "existing-context"}))
 	tests := []struct {
 		options     CreateOptions
 		expecterErr string
@ -105,13 +105,6 @@ func TestCreateInvalids(t *testing.T) {
 			},
 			expecterErr: `specified orchestrator "invalid" is invalid, please use either kubernetes, swarm or all`,
 		},
-		{
-			options: CreateOptions{
-				Name:                     "orchestrator-swarm-no-endpoint",
-				DefaultStackOrchestrator: "swarm",
-			},
-			expecterErr: `docker endpoint configuration is required`,
-		},
 		{
 			options: CreateOptions{
 				Name:                     "orchestrator-kubernetes-no-endpoint",
@ -163,9 +156,9 @@ func TestCreateOrchestratorEmpty(t *testing.T) {
 	assert.NilError(t, err)
 }

-func validateTestKubeEndpoint(t *testing.T, s store.Store, name string) {
+func validateTestKubeEndpoint(t *testing.T, s store.Reader, name string) {
 	t.Helper()
-	ctxMetadata, err := s.GetContextMetadata(name)
+	ctxMetadata, err := s.GetMetadata(name)
 	assert.NilError(t, err)
 	kubeMeta := ctxMetadata.Endpoints[kubernetes.KubernetesEndpoint].(kubernetes.EndpointMeta)
 	kubeEP, err := kubeMeta.WithTLSData(s, name)
@ -185,7 +178,7 @@ func createTestContextWithKube(t *testing.T, cli command.Cli) {
 		Name:                     "test",
 		DefaultStackOrchestrator: "all",
 		Kubernetes: map[string]string{
-			keyFromCurrent: "true",
+			keyFrom: "default",
 		},
 		Docker: map[string]string{},
 	})
@ -198,3 +191,157 @@ func TestCreateOrchestratorAllKubernetesEndpointFromCurrent(t *testing.T) {
 	createTestContextWithKube(t, cli)
 	validateTestKubeEndpoint(t, cli.ContextStore(), "test")
 }
+
+func TestCreateFromContext(t *testing.T) {
+	cases := []struct {
+		name                 string
+		description          string
+		orchestrator         string
+		expectedDescription  string
+		docker               map[string]string
+		kubernetes           map[string]string
+		expectedOrchestrator command.Orchestrator
+	}{
+		{
+			name:                 "no-override",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-description",
+			description:          "new description",
+			expectedDescription:  "new description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-orchestrator",
+			orchestrator:         "kubernetes",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorKubernetes,
+		},
+	}
+
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	revert := env.Patch(t, "KUBECONFIG", "./testdata/test-kubeconfig")
+	defer revert()
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "original",
+		Description: "original description",
+		Docker: map[string]string{
+			keyHost: "tcp://42.42.42.42:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "dummy",
+		Description: "dummy description",
+		Docker: map[string]string{
+			keyHost: "tcp://24.24.24.24:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+
+	cli.SetCurrentContext("dummy")
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			err := RunCreate(cli, &CreateOptions{
+				From:                     "original",
+				Name:                     c.name,
+				Description:              c.description,
+				DefaultStackOrchestrator: c.orchestrator,
+				Docker:                   c.docker,
+				Kubernetes:               c.kubernetes,
+			})
+			assert.NilError(t, err)
+			newContext, err := cli.ContextStore().GetMetadata(c.name)
+			assert.NilError(t, err)
+			newContextTyped, err := command.GetDockerContext(newContext)
+			assert.NilError(t, err)
+			dockerEndpoint, err := docker.EndpointFromContext(newContext)
+			assert.NilError(t, err)
+			kubeEndpoint := kubernetes.EndpointFromContext(newContext)
+			assert.Check(t, kubeEndpoint != nil)
+			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
+			assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator)
+			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
+			assert.Equal(t, kubeEndpoint.Host, "https://someserver")
+		})
+	}
+}
+
+func TestCreateFromCurrent(t *testing.T) {
+	cases := []struct {
+		name                 string
+		description          string
+		orchestrator         string
+		expectedDescription  string
+		expectedOrchestrator command.Orchestrator
+	}{
+		{
+			name:                 "no-override",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-description",
+			description:          "new description",
+			expectedDescription:  "new description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-orchestrator",
+			orchestrator:         "kubernetes",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorKubernetes,
+		},
+	}
+
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	revert := env.Patch(t, "KUBECONFIG", "./testdata/test-kubeconfig")
+	defer revert()
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "original",
+		Description: "original description",
+		Docker: map[string]string{
+			keyHost: "tcp://42.42.42.42:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+
+	cli.SetCurrentContext("original")
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			err := RunCreate(cli, &CreateOptions{
+				Name:                     c.name,
+				Description:              c.description,
+				DefaultStackOrchestrator: c.orchestrator,
+			})
+			assert.NilError(t, err)
+			newContext, err := cli.ContextStore().GetMetadata(c.name)
+			assert.NilError(t, err)
+			newContextTyped, err := command.GetDockerContext(newContext)
+			assert.NilError(t, err)
+			dockerEndpoint, err := docker.EndpointFromContext(newContext)
+			assert.NilError(t, err)
+			kubeEndpoint := kubernetes.EndpointFromContext(newContext)
+			assert.Check(t, kubeEndpoint != nil)
+			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
+			assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator)
+			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
+			assert.Equal(t, kubeEndpoint.Host, "https://someserver")
+		})
+	}
+}
--- a/cli/command/context/export-import_test.go
+++ b/cli/command/context/export-import_test.go
@ -29,9 +29,9 @@ func TestExportImportWithFile(t *testing.T) {
 	cli.OutBuffer().Reset()
 	cli.ErrBuffer().Reset()
 	assert.NilError(t, RunImport(cli, "test2", contextFile))
-	context1, err := cli.ContextStore().GetContextMetadata("test")
+	context1, err := cli.ContextStore().GetMetadata("test")
 	assert.NilError(t, err)
-	context2, err := cli.ContextStore().GetContextMetadata("test2")
+	context2, err := cli.ContextStore().GetMetadata("test2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, context1.Endpoints, context2.Endpoints)
 	assert.DeepEqual(t, context1.Metadata, context2.Metadata)
@ -57,9 +57,9 @@ func TestExportImportPipe(t *testing.T) {
 	cli.OutBuffer().Reset()
 	cli.ErrBuffer().Reset()
 	assert.NilError(t, RunImport(cli, "test2", "-"))
-	context1, err := cli.ContextStore().GetContextMetadata("test")
+	context1, err := cli.ContextStore().GetMetadata("test")
 	assert.NilError(t, err)
-	context2, err := cli.ContextStore().GetContextMetadata("test2")
+	context2, err := cli.ContextStore().GetMetadata("test2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, context1.Endpoints, context2.Endpoints)
 	assert.DeepEqual(t, context1.Metadata, context2.Metadata)
--- a/cli/command/context/export.go
+++ b/cli/command/context/export.go
@ -80,7 +80,7 @@ func RunExport(dockerCli command.Cli, opts *ExportOptions) error {
 	if err := validateContextName(opts.ContextName); err != nil && opts.ContextName != command.DefaultContextName {
 		return err
 	}
-	ctxMeta, err := dockerCli.ContextStore().GetContextMetadata(opts.ContextName)
+	ctxMeta, err := dockerCli.ContextStore().GetMetadata(opts.ContextName)
 	if err != nil {
 		return err
 	}
--- a/cli/command/context/inspect.go
+++ b/cli/command/context/inspect.go
@ -40,25 +40,25 @@ func newInspectCommand(dockerCli command.Cli) *cobra.Command {

 func runInspect(dockerCli command.Cli, opts inspectOptions) error {
 	getRefFunc := func(ref string) (interface{}, []byte, error) {
-		c, err := dockerCli.ContextStore().GetContextMetadata(ref)
+		c, err := dockerCli.ContextStore().GetMetadata(ref)
 		if err != nil {
 			return nil, nil, err
 		}
-		tlsListing, err := dockerCli.ContextStore().ListContextTLSFiles(ref)
+		tlsListing, err := dockerCli.ContextStore().ListTLSFiles(ref)
 		if err != nil {
 			return nil, nil, err
 		}
 		return contextWithTLSListing{
-			ContextMetadata: c,
-			TLSMaterial:     tlsListing,
-			Storage:         dockerCli.ContextStore().GetContextStorageInfo(ref),
+			Metadata:    c,
+			TLSMaterial: tlsListing,
+			Storage:     dockerCli.ContextStore().GetStorageInfo(ref),
 		}, nil, nil
 	}
 	return inspect.Inspect(dockerCli.Out(), opts.refs, opts.format, getRefFunc)
 }

 type contextWithTLSListing struct {
-	store.ContextMetadata
+	store.Metadata
 	TLSMaterial map[string]store.EndpointFiles
-	Storage     store.ContextStorageInfo
+	Storage     store.StorageInfo
 }
--- a/cli/command/context/inspect_test.go
+++ b/cli/command/context/inspect_test.go
@ -17,7 +17,7 @@ func TestInspect(t *testing.T) {
 		refs: []string{"current"},
 	}))
 	expected := string(golden.Get(t, "inspect.golden"))
-	si := cli.ContextStore().GetContextStorageInfo("current")
+	si := cli.ContextStore().GetStorageInfo("current")
 	expected = strings.Replace(expected, "<METADATA_PATH>", strings.Replace(si.MetadataPath, `\`, `\\`, -1), 1)
 	expected = strings.Replace(expected, "<TLS_PATH>", strings.Replace(si.TLSPath, `\`, `\\`, -1), 1)
 	assert.Equal(t, cli.OutBuffer().String(), expected)
--- a/cli/command/context/list.go
+++ b/cli/command/context/list.go
@ -2,6 +2,7 @@ package context

 import (
 	"fmt"
+	"os"
 	"sort"

 	"github.com/docker/cli/cli"
@ -41,7 +42,7 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 		opts.format = formatter.TableFormatKey
 	}
 	curContext := dockerCli.CurrentContext()
-	contextMap, err := dockerCli.ContextStore().ListContexts()
+	contextMap, err := dockerCli.ContextStore().List()
 	if err != nil {
 		return err
 	}
@ -76,7 +77,14 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 	sort.Slice(contexts, func(i, j int) bool {
 		return sortorder.NaturalLess(contexts[i].Name, contexts[j].Name)
 	})
-	return format(dockerCli, opts, contexts)
+	if err := format(dockerCli, opts, contexts); err != nil {
+		return err
+	}
+	if os.Getenv("DOCKER_HOST") != "" {
+		fmt.Fprint(dockerCli.Err(), "Warning: DOCKER_HOST environment variable overrides the active context. "+
+			"To use a context, either set the global --context flag, or unset DOCKER_HOST environment variable.\n")
+	}
+	return nil
 }

 func format(dockerCli command.Cli, opts *listOptions, contexts []*formatter.ClientContext) error {
--- a/cli/command/context/list_test.go
+++ b/cli/command/context/list_test.go
@ -17,7 +17,7 @@ func createTestContextWithKubeAndSwarm(t *testing.T, cli command.Cli, name strin
 		Name:                     name,
 		DefaultStackOrchestrator: orchestrator,
 		Description:              "description of " + name,
-		Kubernetes:               map[string]string{keyFromCurrent: "true"},
+		Kubernetes:               map[string]string{keyFrom: "default"},
 		Docker:                   map[string]string{keyHost: "https://someswarmserver"},
 	})
 	assert.NilError(t, err)
--- a/cli/command/context/options.go
+++ b/cli/command/context/options.go
@ -18,7 +18,7 @@ import (
 )

 const (
-	keyFromCurrent   = "from-current"
+	keyFrom          = "from"
 	keyHost          = "host"
 	keyCA            = "ca"
 	keyCert          = "cert"
@ -36,7 +36,7 @@ type configKeyDescription struct {

 var (
 	allowedDockerConfigKeys = map[string]struct{}{
-		keyFromCurrent:   {},
+		keyFrom:          {},
 		keyHost:          {},
 		keyCA:            {},
 		keyCert:          {},
@ -44,15 +44,15 @@ var (
 		keySkipTLSVerify: {},
 	}
 	allowedKubernetesConfigKeys = map[string]struct{}{
-		keyFromCurrent:   {},
+		keyFrom:          {},
 		keyKubeconfig:    {},
 		keyKubecontext:   {},
 		keyKubenamespace: {},
 	}
 	dockerConfigKeysDescriptions = []configKeyDescription{
 		{
-			name:        keyFromCurrent,
-			description: "Copy current Docker endpoint configuration",
+			name:        keyFrom,
+			description: "Copy named context's Docker endpoint configuration",
 		},
 		{
 			name:        keyHost,
@ -77,8 +77,8 @@ var (
 	}
 	kubernetesConfigKeysDescriptions = []configKeyDescription{
 		{
-			name:        keyFromCurrent,
-			description: "Copy current Kubernetes endpoint configuration",
+			name:        keyFrom,
+			description: "Copy named context's Kubernetes endpoint configuration",
 		},
 		{
 			name:        keyKubeconfig,
@ -121,12 +121,15 @@ func getDockerEndpoint(dockerCli command.Cli, config map[string]string) (docker.
 	if err := validateConfig(config, allowedDockerConfigKeys); err != nil {
 		return docker.Endpoint{}, err
 	}
-	fromCurrent, err := parseBool(config, keyFromCurrent)
-	if err != nil {
-		return docker.Endpoint{}, err
-	}
-	if fromCurrent {
-		return dockerCli.DockerEndpoint(), nil
+	if contextName, ok := config[keyFrom]; ok {
+		metadata, err := dockerCli.ContextStore().GetMetadata(contextName)
+		if err != nil {
+			return docker.Endpoint{}, err
+		}
+		if ep, ok := metadata.Endpoints[docker.DockerEndpoint].(docker.EndpointMeta); ok {
+			return docker.Endpoint{EndpointMeta: ep}, nil
+		}
+		return docker.Endpoint{}, errors.Errorf("unable to get endpoint from context %q", contextName)
 	}
 	tlsData, err := context.TLSDataFromFiles(config[keyCA], config[keyCert], config[keyKey])
 	if err != nil {
@ -169,25 +172,20 @@ func getKubernetesEndpoint(dockerCli command.Cli, config map[string]string) (*ku
 	if len(config) == 0 {
 		return nil, nil
 	}
-	fromCurrent, err := parseBool(config, keyFromCurrent)
-	if err != nil {
-		return nil, err
-	}
-	if fromCurrent {
-		if dockerCli.CurrentContext() != "" {
-			ctxMeta, err := dockerCli.ContextStore().GetContextMetadata(dockerCli.CurrentContext())
+	if contextName, ok := config[keyFrom]; ok {
+		ctxMeta, err := dockerCli.ContextStore().GetMetadata(contextName)
+		if err != nil {
+			return nil, err
+		}
+		endpointMeta := kubernetes.EndpointFromContext(ctxMeta)
+		if endpointMeta != nil {
+			res, err := endpointMeta.WithTLSData(dockerCli.ContextStore(), dockerCli.CurrentContext())
 			if err != nil {
 				return nil, err
 			}
-			endpointMeta := kubernetes.EndpointFromContext(ctxMeta)
-			if endpointMeta != nil {
-				res, err := endpointMeta.WithTLSData(dockerCli.ContextStore(), dockerCli.CurrentContext())
-				if err != nil {
-					return nil, err
-				}
-				return &res, nil
-			}
+			return &res, nil
 		}
+
 		// fallback to env-based kubeconfig
 		kubeconfig := os.Getenv("KUBECONFIG")
 		if kubeconfig == "" {
--- a/cli/command/context/remove.go
+++ b/cli/command/context/remove.go
@ -50,7 +50,7 @@ func RunRemove(dockerCli command.Cli, opts RemoveOptions, names []string) error
 }

 func doRemove(dockerCli command.Cli, name string, isCurrent, force bool) error {
-	if _, err := dockerCli.ContextStore().GetContextMetadata(name); err != nil {
+	if _, err := dockerCli.ContextStore().GetMetadata(name); err != nil {
 		return err
 	}
 	if isCurrent {
@ -64,5 +64,5 @@ func doRemove(dockerCli command.Cli, name string, isCurrent, force bool) error {
 			return err
 		}
 	}
-	return dockerCli.ContextStore().RemoveContext(name)
+	return dockerCli.ContextStore().Remove(name)
 }
--- a/cli/command/context/remove_test.go
+++ b/cli/command/context/remove_test.go
@ -18,9 +18,9 @@ func TestRemove(t *testing.T) {
 	createTestContextWithKubeAndSwarm(t, cli, "current", "all")
 	createTestContextWithKubeAndSwarm(t, cli, "other", "all")
 	assert.NilError(t, RunRemove(cli, RemoveOptions{}, []string{"other"}))
-	_, err := cli.ContextStore().GetContextMetadata("current")
+	_, err := cli.ContextStore().GetMetadata("current")
 	assert.NilError(t, err)
-	_, err = cli.ContextStore().GetContextMetadata("other")
+	_, err = cli.ContextStore().GetMetadata("other")
 	assert.Check(t, store.IsErrContextDoesNotExist(err))
 }

--- a/cli/command/context/update.go
+++ b/cli/command/context/update.go
@ -72,7 +72,7 @@ func RunUpdate(cli command.Cli, o *UpdateOptions) error {
 		return err
 	}
 	s := cli.ContextStore()
-	c, err := s.GetContextMetadata(o.Name)
+	c, err := s.GetMetadata(o.Name)
 	if err != nil {
 		return err
 	}
@ -118,11 +118,11 @@ func RunUpdate(cli command.Cli, o *UpdateOptions) error {
 	if err := validateEndpointsAndOrchestrator(c); err != nil {
 		return err
 	}
-	if err := s.CreateOrUpdateContext(c); err != nil {
+	if err := s.CreateOrUpdate(c); err != nil {
 		return err
 	}
 	for ep, tlsData := range tlsDataToReset {
-		if err := s.ResetContextEndpointTLSMaterial(o.Name, ep, tlsData); err != nil {
+		if err := s.ResetEndpointTLSMaterial(o.Name, ep, tlsData); err != nil {
 			return err
 		}
 	}
@ -132,7 +132,7 @@ func RunUpdate(cli command.Cli, o *UpdateOptions) error {
 	return nil
 }

-func validateEndpointsAndOrchestrator(c store.ContextMetadata) error {
+func validateEndpointsAndOrchestrator(c store.Metadata) error {
 	dockerContext, err := command.GetDockerContext(c)
 	if err != nil {
 		return err
--- a/cli/command/context/update_test.go
+++ b/cli/command/context/update_test.go
@ -25,7 +25,7 @@ func TestUpdateDescriptionOnly(t *testing.T) {
 		Name:        "test",
 		Description: "description",
 	}))
-	c, err := cli.ContextStore().GetContextMetadata("test")
+	c, err := cli.ContextStore().GetMetadata("test")
 	assert.NilError(t, err)
 	dc, err := command.GetDockerContext(c)
 	assert.NilError(t, err)
@ -46,7 +46,7 @@ func TestUpdateDockerOnly(t *testing.T) {
 			keyHost: "tcp://some-host",
 		},
 	}))
-	c, err := cli.ContextStore().GetContextMetadata("test")
+	c, err := cli.ContextStore().GetMetadata("test")
 	assert.NilError(t, err)
 	dc, err := command.GetDockerContext(c)
 	assert.NilError(t, err)
--- a/cli/command/context/use.go
+++ b/cli/command/context/use.go
@ -2,6 +2,7 @@ package context

 import (
 	"fmt"
+	"os"

 	"github.com/docker/cli/cli/command"
 	"github.com/spf13/cobra"
@ -25,7 +26,7 @@ func RunUse(dockerCli command.Cli, name string) error {
 	if err := validateContextName(name); err != nil && name != "default" {
 		return err
 	}
-	if _, err := dockerCli.ContextStore().GetContextMetadata(name); err != nil && name != "default" {
+	if _, err := dockerCli.ContextStore().GetMetadata(name); err != nil && name != "default" {
 		return err
 	}
 	configValue := name
@ -39,5 +40,9 @@ func RunUse(dockerCli command.Cli, name string) error {
 	}
 	fmt.Fprintln(dockerCli.Out(), name)
 	fmt.Fprintf(dockerCli.Err(), "Current context is now %q\n", name)
+	if os.Getenv("DOCKER_HOST") != "" {
+		fmt.Fprintf(dockerCli.Err(), "Warning: DOCKER_HOST environment variable overrides the active context. "+
+			"To use %q, either set the global --context flag, or unset DOCKER_HOST environment variable.\n", name)
+	}
 	return nil
 }
--- a/cli/command/defaultcontextstore.go
+++ b/cli/command/defaultcontextstore.go
@ -22,7 +22,7 @@ const (

 // DefaultContext contains the default context data for all enpoints
 type DefaultContext struct {
-	Meta store.ContextMetadata
+	Meta store.Metadata
 	TLS  store.ContextTLSData
 }

@ -35,7 +35,7 @@ type ContextStoreWithDefault struct {
 	Resolver DefaultContextResolver
 }

-// resolveDefaultContext creates a ContextMetadata for the current CLI invocation parameters
+// resolveDefaultContext creates a Metadata for the current CLI invocation parameters
 func resolveDefaultContext(opts *cliflags.CommonOptions, config *configfile.ConfigFile, stderr io.Writer) (*DefaultContext, error) {
 	stackOrchestrator, err := GetStackOrchestrator("", "", config.StackOrchestrator, stderr)
 	if err != nil {
@ -44,7 +44,7 @@ func resolveDefaultContext(opts *cliflags.CommonOptions, config *configfile.Conf
 	contextTLSData := store.ContextTLSData{
 		Endpoints: make(map[string]store.EndpointTLSData),
 	}
-	contextMetadata := store.ContextMetadata{
+	contextMetadata := store.Metadata{
 		Endpoints: make(map[string]interface{}),
 		Metadata: DockerContext{
 			Description:       "",
@ -81,9 +81,9 @@ func resolveDefaultContext(opts *cliflags.CommonOptions, config *configfile.Conf
 	return &DefaultContext{Meta: contextMetadata, TLS: contextTLSData}, nil
 }

-// ListContexts implements store.Store's ListContexts
-func (s *ContextStoreWithDefault) ListContexts() ([]store.ContextMetadata, error) {
-	contextList, err := s.Store.ListContexts()
+// List implements store.Store's List
+func (s *ContextStoreWithDefault) List() ([]store.Metadata, error) {
+	contextList, err := s.Store.List()
 	if err != nil {
 		return nil, err
 	}
@ -94,52 +94,52 @@ func (s *ContextStoreWithDefault) ListContexts() ([]store.ContextMetadata, error
 	return append(contextList, defaultContext.Meta), nil
 }

-// CreateOrUpdateContext is not allowed for the default context and fails
-func (s *ContextStoreWithDefault) CreateOrUpdateContext(meta store.ContextMetadata) error {
+// CreateOrUpdate is not allowed for the default context and fails
+func (s *ContextStoreWithDefault) CreateOrUpdate(meta store.Metadata) error {
 	if meta.Name == DefaultContextName {
 		return errors.New("default context cannot be created nor updated")
 	}
-	return s.Store.CreateOrUpdateContext(meta)
+	return s.Store.CreateOrUpdate(meta)
 }

-// RemoveContext is not allowed for the default context and fails
-func (s *ContextStoreWithDefault) RemoveContext(name string) error {
+// Remove is not allowed for the default context and fails
+func (s *ContextStoreWithDefault) Remove(name string) error {
 	if name == DefaultContextName {
 		return errors.New("default context cannot be removed")
 	}
-	return s.Store.RemoveContext(name)
+	return s.Store.Remove(name)
 }

-// GetContextMetadata implements store.Store's GetContextMetadata
-func (s *ContextStoreWithDefault) GetContextMetadata(name string) (store.ContextMetadata, error) {
+// GetMetadata implements store.Store's GetMetadata
+func (s *ContextStoreWithDefault) GetMetadata(name string) (store.Metadata, error) {
 	if name == DefaultContextName {
 		defaultContext, err := s.Resolver()
 		if err != nil {
-			return store.ContextMetadata{}, err
+			return store.Metadata{}, err
 		}
 		return defaultContext.Meta, nil
 	}
-	return s.Store.GetContextMetadata(name)
+	return s.Store.GetMetadata(name)
 }

-// ResetContextTLSMaterial is not implemented for default context and fails
-func (s *ContextStoreWithDefault) ResetContextTLSMaterial(name string, data *store.ContextTLSData) error {
+// ResetTLSMaterial is not implemented for default context and fails
+func (s *ContextStoreWithDefault) ResetTLSMaterial(name string, data *store.ContextTLSData) error {
 	if name == DefaultContextName {
-		return errors.New("The default context store does not support ResetContextTLSMaterial")
+		return errors.New("The default context store does not support ResetTLSMaterial")
 	}
-	return s.Store.ResetContextTLSMaterial(name, data)
+	return s.Store.ResetTLSMaterial(name, data)
 }

-// ResetContextEndpointTLSMaterial is not implemented for default context and fails
-func (s *ContextStoreWithDefault) ResetContextEndpointTLSMaterial(contextName string, endpointName string, data *store.EndpointTLSData) error {
+// ResetEndpointTLSMaterial is not implemented for default context and fails
+func (s *ContextStoreWithDefault) ResetEndpointTLSMaterial(contextName string, endpointName string, data *store.EndpointTLSData) error {
 	if contextName == DefaultContextName {
-		return errors.New("The default context store does not support ResetContextEndpointTLSMaterial")
+		return errors.New("The default context store does not support ResetEndpointTLSMaterial")
 	}
-	return s.Store.ResetContextEndpointTLSMaterial(contextName, endpointName, data)
+	return s.Store.ResetEndpointTLSMaterial(contextName, endpointName, data)
 }

-// ListContextTLSFiles implements store.Store's ListContextTLSFiles
-func (s *ContextStoreWithDefault) ListContextTLSFiles(name string) (map[string]store.EndpointFiles, error) {
+// ListTLSFiles implements store.Store's ListTLSFiles
+func (s *ContextStoreWithDefault) ListTLSFiles(name string) (map[string]store.EndpointFiles, error) {
 	if name == DefaultContextName {
 		defaultContext, err := s.Resolver()
 		if err != nil {
@ -155,11 +155,11 @@ func (s *ContextStoreWithDefault) ListContextTLSFiles(name string) (map[string]s
 		}
 		return tlsfiles, nil
 	}
-	return s.Store.ListContextTLSFiles(name)
+	return s.Store.ListTLSFiles(name)
 }

-// GetContextTLSData implements store.Store's GetContextTLSData
-func (s *ContextStoreWithDefault) GetContextTLSData(contextName, endpointName, fileName string) ([]byte, error) {
+// GetTLSData implements store.Store's GetTLSData
+func (s *ContextStoreWithDefault) GetTLSData(contextName, endpointName, fileName string) ([]byte, error) {
 	if contextName == DefaultContextName {
 		defaultContext, err := s.Resolver()
 		if err != nil {
@ -171,7 +171,7 @@ func (s *ContextStoreWithDefault) GetContextTLSData(contextName, endpointName, f
 		return defaultContext.TLS.Endpoints[endpointName].Files[fileName], nil

 	}
-	return s.Store.GetContextTLSData(contextName, endpointName, fileName)
+	return s.Store.GetTLSData(contextName, endpointName, fileName)
 }

 type noDefaultTLSDataError struct {
@ -189,10 +189,10 @@ func (e *noDefaultTLSDataError) NotFound() {}
 // IsTLSDataDoesNotExist satisfies github.com/docker/cli/cli/context/store.tlsDataDoesNotExist
 func (e *noDefaultTLSDataError) IsTLSDataDoesNotExist() {}

-// GetContextStorageInfo implements store.Store's GetContextStorageInfo
-func (s *ContextStoreWithDefault) GetContextStorageInfo(contextName string) store.ContextStorageInfo {
+// GetStorageInfo implements store.Store's GetStorageInfo
+func (s *ContextStoreWithDefault) GetStorageInfo(contextName string) store.StorageInfo {
 	if contextName == DefaultContextName {
-		return store.ContextStorageInfo{MetadataPath: "<IN MEMORY>", TLSPath: "<IN MEMORY>"}
+		return store.StorageInfo{MetadataPath: "<IN MEMORY>", TLSPath: "<IN MEMORY>"}
 	}
-	return s.Store.GetContextStorageInfo(contextName)
+	return s.Store.GetStorageInfo(contextName)
 }
--- a/cli/command/defaultcontextstore_test.go
+++ b/cli/command/defaultcontextstore_test.go
@ -30,8 +30,8 @@ var testCfg = store.NewConfig(func() interface{} { return &testContext{} },
 	store.EndpointTypeGetter("ep2", func() interface{} { return &endpoint{} }),
 )

-func testDefaultMetadata() store.ContextMetadata {
-	return store.ContextMetadata{
+func testDefaultMetadata() store.Metadata {
+	return store.Metadata{
 		Endpoints: map[string]interface{}{
 			"ep1": endpoint{Foo: "bar"},
 		},
@ -40,7 +40,7 @@ func testDefaultMetadata() store.ContextMetadata {
 	}
 }

-func testStore(t *testing.T, meta store.ContextMetadata, tls store.ContextTLSData) (store.Store, func()) {
+func testStore(t *testing.T, meta store.Metadata, tls store.ContextTLSData) (store.Store, func()) {
 	//meta := testDefaultMetadata()
 	testDir, err := ioutil.TempDir("", t.Name())
 	assert.NilError(t, err)
@ -102,33 +102,33 @@ func TestExportDefaultImport(t *testing.T) {
 	err := store.Import("dest", s, r)
 	assert.NilError(t, err)

-	srcMeta, err := s.GetContextMetadata("default")
+	srcMeta, err := s.GetMetadata("default")
 	assert.NilError(t, err)
-	destMeta, err := s.GetContextMetadata("dest")
+	destMeta, err := s.GetMetadata("dest")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, destMeta.Metadata, srcMeta.Metadata)
 	assert.DeepEqual(t, destMeta.Endpoints, srcMeta.Endpoints)

-	srcFileList, err := s.ListContextTLSFiles("default")
+	srcFileList, err := s.ListTLSFiles("default")
 	assert.NilError(t, err)
-	destFileList, err := s.ListContextTLSFiles("dest")
+	destFileList, err := s.ListTLSFiles("dest")
 	assert.NilError(t, err)
 	assert.Equal(t, 1, len(destFileList))
 	assert.Equal(t, 1, len(srcFileList))
 	assert.Equal(t, 2, len(destFileList["ep2"]))
 	assert.Equal(t, 2, len(srcFileList["ep2"]))

-	srcData1, err := s.GetContextTLSData("default", "ep2", "file1")
+	srcData1, err := s.GetTLSData("default", "ep2", "file1")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file1, srcData1)
-	srcData2, err := s.GetContextTLSData("default", "ep2", "file2")
+	srcData2, err := s.GetTLSData("default", "ep2", "file2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file2, srcData2)

-	destData1, err := s.GetContextTLSData("dest", "ep2", "file1")
+	destData1, err := s.GetTLSData("dest", "ep2", "file1")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file1, destData1)
-	destData2, err := s.GetContextTLSData("dest", "ep2", "file2")
+	destData2, err := s.GetTLSData("dest", "ep2", "file2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file2, destData2)
 }
@ -137,7 +137,7 @@ func TestListDefaultContext(t *testing.T) {
 	meta := testDefaultMetadata()
 	s, cleanup := testStore(t, meta, store.ContextTLSData{})
 	defer cleanup()
-	result, err := s.ListContexts()
+	result, err := s.List()
 	assert.NilError(t, err)
 	assert.Equal(t, 1, len(result))
 	assert.DeepEqual(t, meta, result[0])
@ -146,7 +146,7 @@ func TestListDefaultContext(t *testing.T) {
 func TestGetDefaultContextStorageInfo(t *testing.T) {
 	s, cleanup := testStore(t, testDefaultMetadata(), store.ContextTLSData{})
 	defer cleanup()
-	result := s.GetContextStorageInfo(DefaultContextName)
+	result := s.GetStorageInfo(DefaultContextName)
 	assert.Equal(t, "<IN MEMORY>", result.MetadataPath)
 	assert.Equal(t, "<IN MEMORY>", result.TLSPath)
 }
@ -155,7 +155,7 @@ func TestGetDefaultContextMetadata(t *testing.T) {
 	meta := testDefaultMetadata()
 	s, cleanup := testStore(t, meta, store.ContextTLSData{})
 	defer cleanup()
-	result, err := s.GetContextMetadata(DefaultContextName)
+	result, err := s.GetMetadata(DefaultContextName)
 	assert.NilError(t, err)
 	assert.Equal(t, DefaultContextName, result.Name)
 	assert.DeepEqual(t, meta.Metadata, result.Metadata)
@ -166,7 +166,7 @@ func TestErrCreateDefault(t *testing.T) {
 	meta := testDefaultMetadata()
 	s, cleanup := testStore(t, meta, store.ContextTLSData{})
 	defer cleanup()
-	err := s.CreateOrUpdateContext(store.ContextMetadata{
+	err := s.CreateOrUpdate(store.Metadata{
 		Endpoints: map[string]interface{}{
 			"ep1": endpoint{Foo: "bar"},
 		},
@ -180,7 +180,7 @@ func TestErrRemoveDefault(t *testing.T) {
 	meta := testDefaultMetadata()
 	s, cleanup := testStore(t, meta, store.ContextTLSData{})
 	defer cleanup()
-	err := s.RemoveContext("default")
+	err := s.Remove("default")
 	assert.Error(t, err, "default context cannot be removed")
 }

@ -188,6 +188,6 @@ func TestErrTLSDataError(t *testing.T) {
 	meta := testDefaultMetadata()
 	s, cleanup := testStore(t, meta, store.ContextTLSData{})
 	defer cleanup()
-	_, err := s.GetContextTLSData("default", "noop", "noop")
+	_, err := s.GetTLSData("default", "noop", "noop")
 	assert.Check(t, store.IsErrTLSDataDoesNotExist(err))
 }
--- a/cli/command/registry/login.go
+++ b/cli/command/registry/login.go
@ -143,7 +143,8 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl
 	creds := dockerCli.ConfigFile().GetCredentialsStore(serverAddress)

 	store, isDefault := creds.(isFileStore)
-	if isDefault {
+	// Display a warning if we're storing the users password (not a token)
+	if isDefault && authConfig.Password != "" {
 		err = displayUnencryptedWarning(dockerCli, store.GetFilename())
 		if err != nil {
 			return err
--- a/cli/command/registry/login_test.go
+++ b/cli/command/registry/login_test.go
@ -24,6 +24,7 @@ var testAuthErrors = map[string]error{
 }

 var expiredPassword = "I_M_EXPIRED"
+var useToken = "I_M_TOKEN"

 type fakeClient struct {
 	client.Client
@ -37,6 +38,11 @@ func (c fakeClient) RegistryLogin(ctx context.Context, auth types.AuthConfig) (r
 	if auth.Password == expiredPassword {
 		return registrytypes.AuthenticateOKBody{}, fmt.Errorf("Invalid Username or Password")
 	}
+	if auth.Password == useToken {
+		return registrytypes.AuthenticateOKBody{
+			IdentityToken: auth.Password,
+		}, nil
+	}
 	err := testAuthErrors[auth.Username]
 	return registrytypes.AuthenticateOKBody{}, err
 }
@ -90,6 +96,11 @@ func TestRunLogin(t *testing.T) {
 		Username:      validUsername,
 		Password:      expiredPassword,
 	}
+	validIdentityToken := configtypes.AuthConfig{
+		ServerAddress: storedServerAddress,
+		Username:      validUsername,
+		IdentityToken: useToken,
+	}
 	testCases := []struct {
 		inputLoginOption  loginOptions
 		inputStoredCred   *configtypes.AuthConfig
@ -134,6 +145,16 @@ func TestRunLogin(t *testing.T) {
 			inputStoredCred: &validAuthConfig,
 			expectedErr:     testAuthErrMsg,
 		},
+		{
+			inputLoginOption: loginOptions{
+				serverAddress: storedServerAddress,
+				user:          validUsername,
+				password:      useToken,
+			},
+			inputStoredCred:   &validIdentityToken,
+			expectedErr:       "",
+			expectedSavedCred: validIdentityToken,
+		},
 	}
 	for i, tc := range testCases {
 		t.Run(fmt.Sprintf("%d", i), func(t *testing.T) {
--- a/cli/command/service/create.go
+++ b/cli/command/service/create.go
@ -8,7 +8,9 @@ import (
 	"github.com/docker/cli/cli/command"
 	cliopts "github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/client"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
@ -95,14 +97,8 @@ func runCreate(dockerCli command.Cli, flags *pflag.FlagSet, opts *serviceOptions
 		service.TaskTemplate.ContainerSpec.Secrets = secrets
 	}

-	specifiedConfigs := opts.configs.Value()
-	if len(specifiedConfigs) > 0 {
-		// parse and validate configs
-		configs, err := ParseConfigs(apiClient, specifiedConfigs)
-		if err != nil {
-			return err
-		}
-		service.TaskTemplate.ContainerSpec.Configs = configs
+	if err := setConfigs(apiClient, &service, opts); err != nil {
+		return err
 	}

 	if err := resolveServiceImageDigestContentTrust(dockerCli, &service); err != nil {
@ -141,3 +137,45 @@ func runCreate(dockerCli command.Cli, flags *pflag.FlagSet, opts *serviceOptions

 	return waitOnService(ctx, dockerCli, response.ID, opts.quiet)
 }
+
+// setConfigs does double duty: it both sets the ConfigReferences of the
+// service, and it sets the service CredentialSpec. This is because there is an
+// interplay between the CredentialSpec and the Config it depends on.
+func setConfigs(apiClient client.ConfigAPIClient, service *swarm.ServiceSpec, opts *serviceOptions) error {
+	specifiedConfigs := opts.configs.Value()
+	// if the user has requested to use a Config, for the CredentialSpec add it
+	// to the specifiedConfigs as a RuntimeTarget.
+	if cs := opts.credentialSpec.Value(); cs != nil && cs.Config != "" {
+		specifiedConfigs = append(specifiedConfigs, &swarm.ConfigReference{
+			ConfigName: cs.Config,
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		})
+	}
+	if len(specifiedConfigs) > 0 {
+		// parse and validate configs
+		configs, err := ParseConfigs(apiClient, specifiedConfigs)
+		if err != nil {
+			return err
+		}
+		service.TaskTemplate.ContainerSpec.Configs = configs
+		// if we have a CredentialSpec Config, find its ID and rewrite the
+		// field on the spec
+		//
+		// we check the opts instead of the service directly because there are
+		// a few layers of nullable objects in the service, which is a PITA
+		// to traverse, but the existence of the option implies that those are
+		// non-null.
+		if cs := opts.credentialSpec.Value(); cs != nil && cs.Config != "" {
+			for _, config := range configs {
+				if config.ConfigName == cs.Config {
+					service.TaskTemplate.ContainerSpec.Privileges.CredentialSpec.Config = config.ConfigID
+					// we've found the right config, no need to keep iterating
+					// through the rest of them.
+					break
+				}
+			}
+		}
+	}
+
+	return nil
+}
--- a/cli/command/service/create_test.go
+++ b/cli/command/service/create_test.go
@ -0,0 +1,271 @@
+package service
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+
+	cliopts "github.com/docker/cli/opts"
+)
+
+// fakeConfigAPIClientList is used to let us pass a closure as a
+// ConfigAPIClient, to use as ConfigList. for all the other methods in the
+// interface, it does nothing, not even return an error, so don't use them
+type fakeConfigAPIClientList func(context.Context, types.ConfigListOptions) ([]swarm.Config, error)
+
+func (f fakeConfigAPIClientList) ConfigList(ctx context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+	return f(ctx, opts)
+}
+
+func (f fakeConfigAPIClientList) ConfigCreate(_ context.Context, _ swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+	return types.ConfigCreateResponse{}, nil
+}
+
+func (f fakeConfigAPIClientList) ConfigRemove(_ context.Context, _ string) error {
+	return nil
+}
+
+func (f fakeConfigAPIClientList) ConfigInspectWithRaw(_ context.Context, _ string) (swarm.Config, []byte, error) {
+	return swarm.Config{}, nil, nil
+}
+
+func (f fakeConfigAPIClientList) ConfigUpdate(_ context.Context, _ string, _ swarm.Version, _ swarm.ConfigSpec) error {
+	return nil
+}
+
+// TestSetConfigsWithCredSpecAndConfigs tests that the setConfigs function for
+// create correctly looks up the right configs, and correctly handles the
+// credentialSpec
+func TestSetConfigsWithCredSpecAndConfigs(t *testing.T) {
+	// we can't directly access the internal fields of the ConfigOpt struct, so
+	// we need to let it do the parsing
+	configOpt := &cliopts.ConfigOpt{}
+	configOpt.Set("bar")
+	opts := &serviceOptions{
+		credentialSpec: credentialSpecOpt{
+			value: &swarm.CredentialSpec{
+				Config: "foo",
+			},
+			source: "config://foo",
+		},
+		configs: *configOpt,
+	}
+
+	// create a service spec. we need to be sure to fill in the nullable
+	// fields, like the code expects
+	service := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{
+				Privileges: &swarm.Privileges{
+					CredentialSpec: opts.credentialSpec.value,
+				},
+			},
+		},
+	}
+
+	// set up a function to use as the list function
+	var fakeClient fakeConfigAPIClientList = func(_ context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+		f := opts.Filters
+
+		// we're expecting the filter to have names "foo" and "bar"
+		names := f.Get("name")
+		assert.Equal(t, len(names), 2)
+		assert.Assert(t, is.Contains(names, "foo"))
+		assert.Assert(t, is.Contains(names, "bar"))
+
+		return []swarm.Config{
+			{
+				ID: "fooID",
+				Spec: swarm.ConfigSpec{
+					Annotations: swarm.Annotations{
+						Name: "foo",
+					},
+				},
+			}, {
+				ID: "barID",
+				Spec: swarm.ConfigSpec{
+					Annotations: swarm.Annotations{
+						Name: "bar",
+					},
+				},
+			},
+		}, nil
+	}
+
+	// now call setConfigs
+	err := setConfigs(fakeClient, service, opts)
+	// verify no error is returned
+	assert.NilError(t, err)
+
+	credSpecConfigValue := service.TaskTemplate.ContainerSpec.Privileges.CredentialSpec.Config
+	assert.Equal(t, credSpecConfigValue, "fooID")
+
+	configRefs := service.TaskTemplate.ContainerSpec.Configs
+	assert.Assert(t, is.Contains(configRefs, &swarm.ConfigReference{
+		ConfigID:   "fooID",
+		ConfigName: "foo",
+		Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+	}), "expected configRefs to contain foo config")
+	assert.Assert(t, is.Contains(configRefs, &swarm.ConfigReference{
+		ConfigID:   "barID",
+		ConfigName: "bar",
+		File: &swarm.ConfigReferenceFileTarget{
+			Name: "bar",
+			// these are the default field values
+			UID:  "0",
+			GID:  "0",
+			Mode: 0444,
+		},
+	}), "expected configRefs to contain bar config")
+}
+
+// TestSetConfigsOnlyCredSpec tests that even if a CredentialSpec is the only
+// config needed, setConfigs still works
+func TestSetConfigsOnlyCredSpec(t *testing.T) {
+	opts := &serviceOptions{
+		credentialSpec: credentialSpecOpt{
+			value: &swarm.CredentialSpec{
+				Config: "foo",
+			},
+			source: "config://foo",
+		},
+	}
+
+	service := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{
+				Privileges: &swarm.Privileges{
+					CredentialSpec: opts.credentialSpec.value,
+				},
+			},
+		},
+	}
+
+	// set up a function to use as the list function
+	var fakeClient fakeConfigAPIClientList = func(_ context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+		f := opts.Filters
+
+		names := f.Get("name")
+		assert.Equal(t, len(names), 1)
+		assert.Assert(t, is.Contains(names, "foo"))
+
+		return []swarm.Config{
+			{
+				ID: "fooID",
+				Spec: swarm.ConfigSpec{
+					Annotations: swarm.Annotations{
+						Name: "foo",
+					},
+				},
+			},
+		}, nil
+	}
+
+	// now call setConfigs
+	err := setConfigs(fakeClient, service, opts)
+	// verify no error is returned
+	assert.NilError(t, err)
+
+	credSpecConfigValue := service.TaskTemplate.ContainerSpec.Privileges.CredentialSpec.Config
+	assert.Equal(t, credSpecConfigValue, "fooID")
+
+	configRefs := service.TaskTemplate.ContainerSpec.Configs
+	assert.Assert(t, is.Contains(configRefs, &swarm.ConfigReference{
+		ConfigID:   "fooID",
+		ConfigName: "foo",
+		Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+	}))
+}
+
+// TestSetConfigsOnlyConfigs verifies setConfigs when only configs (and not a
+// CredentialSpec) is needed.
+func TestSetConfigsOnlyConfigs(t *testing.T) {
+	configOpt := &cliopts.ConfigOpt{}
+	configOpt.Set("bar")
+	opts := &serviceOptions{
+		configs: *configOpt,
+	}
+
+	service := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+
+	var fakeClient fakeConfigAPIClientList = func(_ context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+		f := opts.Filters
+
+		names := f.Get("name")
+		assert.Equal(t, len(names), 1)
+		assert.Assert(t, is.Contains(names, "bar"))
+
+		return []swarm.Config{
+			{
+				ID: "barID",
+				Spec: swarm.ConfigSpec{
+					Annotations: swarm.Annotations{
+						Name: "bar",
+					},
+				},
+			},
+		}, nil
+	}
+
+	// now call setConfigs
+	err := setConfigs(fakeClient, service, opts)
+	// verify no error is returned
+	assert.NilError(t, err)
+
+	configRefs := service.TaskTemplate.ContainerSpec.Configs
+	assert.Assert(t, is.Contains(configRefs, &swarm.ConfigReference{
+		ConfigID:   "barID",
+		ConfigName: "bar",
+		File: &swarm.ConfigReferenceFileTarget{
+			Name: "bar",
+			// these are the default field values
+			UID:  "0",
+			GID:  "0",
+			Mode: 0444,
+		},
+	}))
+}
+
+// TestSetConfigsNoConfigs checks that setConfigs works when there are no
+// configs of any kind needed
+func TestSetConfigsNoConfigs(t *testing.T) {
+	// add a credentialSpec that isn't a config
+	opts := &serviceOptions{
+		credentialSpec: credentialSpecOpt{
+			value: &swarm.CredentialSpec{
+				File: "foo",
+			},
+			source: "file://foo",
+		},
+	}
+	service := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{
+				Privileges: &swarm.Privileges{
+					CredentialSpec: opts.credentialSpec.value,
+				},
+			},
+		},
+	}
+
+	var fakeClient fakeConfigAPIClientList = func(_ context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+		// assert false -- we should never call this function
+		assert.Assert(t, false, "we should not be listing configs")
+		return nil, nil
+	}
+
+	err := setConfigs(fakeClient, service, opts)
+	assert.NilError(t, err)
+
+	// ensure that the value of the credentialspec has not changed
+	assert.Equal(t, service.TaskTemplate.ContainerSpec.Privileges.CredentialSpec.File, "foo")
+	assert.Equal(t, service.TaskTemplate.ContainerSpec.Privileges.CredentialSpec.Config, "")
+}
--- a/cli/command/service/opts.go
+++ b/cli/command/service/opts.go
@ -16,8 +16,8 @@ import (
 	"github.com/docker/docker/client"
 	"github.com/docker/swarmkit/api"
 	"github.com/docker/swarmkit/api/defaults"
-	shlex "github.com/flynn-archive/go-shlex"
 	gogotypes "github.com/gogo/protobuf/types"
+	"github.com/google/shlex"
 	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
 )
@ -331,12 +331,25 @@ func (c *credentialSpecOpt) Set(value string) error {
 	c.source = value
 	c.value = &swarm.CredentialSpec{}
 	switch {
+	case strings.HasPrefix(value, "config://"):
+		// NOTE(dperny): we allow the user to specify the value of
+		// CredentialSpec Config using the Name of the config, but the API
+		// requires the ID of the config. For simplicity, we will parse
+		// whatever value is provided into the "Config" field, but before
+		// making API calls, we may need to swap the Config Name for the ID.
+		// Therefore, this isn't the definitive location for the value of
+		// Config that is passed to the API.
+		c.value.Config = strings.TrimPrefix(value, "config://")
 	case strings.HasPrefix(value, "file://"):
 		c.value.File = strings.TrimPrefix(value, "file://")
 	case strings.HasPrefix(value, "registry://"):
 		c.value.Registry = strings.TrimPrefix(value, "registry://")
+	case value == "":
+		// if the value of the flag is an empty string, that means there is no
+		// CredentialSpec needed. This is useful for removing a CredentialSpec
+		// during a service update.
 	default:
-		return errors.New("Invalid credential spec - value must be prefixed file:// or registry:// followed by a value")
+		return errors.New(`invalid credential spec: value must be prefixed with "config://", "file://", or "registry://"`)
 	}

 	return nil
@ -663,7 +676,7 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N
 		EndpointSpec:   options.endpoint.ToEndpointSpec(),
 	}

-	if options.credentialSpec.Value() != nil {
+	if options.credentialSpec.String() != "" && options.credentialSpec.Value() != nil {
 		service.TaskTemplate.ContainerSpec.Privileges = &swarm.Privileges{
 			CredentialSpec: options.credentialSpec.Value(),
 		}
--- a/cli/command/service/opts_test.go
+++ b/cli/command/service/opts_test.go
@ -14,6 +14,60 @@ import (
 	is "gotest.tools/assert/cmp"
 )

+func TestCredentialSpecOpt(t *testing.T) {
+	tests := []struct {
+		name        string
+		in          string
+		value       swarm.CredentialSpec
+		expectedErr string
+	}{
+		{
+			name:  "empty",
+			in:    "",
+			value: swarm.CredentialSpec{},
+		},
+		{
+			name:        "no-prefix",
+			in:          "noprefix",
+			value:       swarm.CredentialSpec{},
+			expectedErr: `invalid credential spec: value must be prefixed with "config://", "file://", or "registry://"`,
+		},
+		{
+			name:  "config",
+			in:    "config://0bt9dmxjvjiqermk6xrop3ekq",
+			value: swarm.CredentialSpec{Config: "0bt9dmxjvjiqermk6xrop3ekq"},
+		},
+		{
+			name:  "file",
+			in:    "file://somefile.json",
+			value: swarm.CredentialSpec{File: "somefile.json"},
+		},
+		{
+			name:  "registry",
+			in:    "registry://testing",
+			value: swarm.CredentialSpec{Registry: "testing"},
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			var cs credentialSpecOpt
+
+			err := cs.Set(tc.in)
+
+			if tc.expectedErr != "" {
+				assert.Error(t, err, tc.expectedErr)
+			} else {
+				assert.NilError(t, err)
+			}
+
+			assert.Equal(t, cs.String(), tc.in)
+			assert.DeepEqual(t, cs.Value(), &tc.value)
+		})
+	}
+}
+
 func TestMemBytesString(t *testing.T) {
 	var mem opts.MemBytes = 1048576
 	assert.Check(t, is.Equal("1MiB", mem.String()))
--- a/cli/command/service/parse.go
+++ b/cli/command/service/parse.go
@ -70,16 +70,40 @@ func ParseConfigs(client client.ConfigAPIClient, requestedConfigs []*swarmtypes.
 		return []*swarmtypes.ConfigReference{}, nil
 	}

+	// the configRefs map has two purposes: it prevents duplication of config
+	// target filenames, and it it used to get all configs so we can resolve
+	// their IDs. unfortunately, there are other targets for ConfigReferences,
+	// besides just a File; specifically, the Runtime target, which is used for
+	// CredentialSpecs. Therefore, we need to have a list of ConfigReferences
+	// that are not File targets as well. at this time of writing, the only use
+	// for Runtime targets is CredentialSpecs. However, to future-proof this
+	// functionality, we should handle the case where multiple Runtime targets
+	// are in use for the same Config, and we should deduplicate
+	// such ConfigReferences, as no matter how many times the Config is used,
+	// it is only needed to be referenced once.
 	configRefs := make(map[string]*swarmtypes.ConfigReference)
+	runtimeRefs := make(map[string]*swarmtypes.ConfigReference)
 	ctx := context.Background()

 	for _, config := range requestedConfigs {
+		// copy the config, so we don't mutate the args
+		configRef := new(swarmtypes.ConfigReference)
+		*configRef = *config
+
+		if config.Runtime != nil {
+			// by assigning to a map based on ConfigName, if the same Config
+			// is required as a Runtime target for multiple purposes, we only
+			// include it once in the final set of configs.
+			runtimeRefs[config.ConfigName] = config
+			// continue, so we skip the logic below for handling file-type
+			// configs
+			continue
+		}
+
 		if _, exists := configRefs[config.File.Name]; exists {
 			return nil, errors.Errorf("duplicate config target for %s not allowed", config.ConfigName)
 		}

-		configRef := new(swarmtypes.ConfigReference)
-		*configRef = *config
 		configRefs[config.File.Name] = configRef
 	}

@ -87,6 +111,9 @@ func ParseConfigs(client client.ConfigAPIClient, requestedConfigs []*swarmtypes.
 	for _, s := range configRefs {
 		args.Add("name", s.ConfigName)
 	}
+	for _, s := range runtimeRefs {
+		args.Add("name", s.ConfigName)
+	}

 	configs, err := client.ConfigList(ctx, types.ConfigListOptions{
 		Filters: args,
@ -114,5 +141,18 @@ func ParseConfigs(client client.ConfigAPIClient, requestedConfigs []*swarmtypes.
 		addedConfigs = append(addedConfigs, ref)
 	}

+	// unfortunately, because the key of configRefs and runtimeRefs is different
+	// values that may collide, we can't just do some fancy trickery to
+	// concat maps, we need to do two separate loops
+	for _, ref := range runtimeRefs {
+		id, ok := foundConfigs[ref.ConfigName]
+		if !ok {
+			return nil, errors.Errorf("config not found: %s", ref.ConfigName)
+		}
+
+		ref.ConfigID = id
+		addedConfigs = append(addedConfigs, ref)
+	}
+
 	return addedConfigs, nil
 }
--- a/cli/command/service/update.go
+++ b/cli/command/service/update.go
@ -194,13 +194,18 @@ func runUpdate(dockerCli command.Cli, flags *pflag.FlagSet, options *serviceOpti

 	spec.TaskTemplate.ContainerSpec.Secrets = updatedSecrets

-	updatedConfigs, err := getUpdatedConfigs(apiClient, flags, spec.TaskTemplate.ContainerSpec.Configs)
+	updatedConfigs, err := getUpdatedConfigs(apiClient, flags, spec.TaskTemplate.ContainerSpec)
 	if err != nil {
 		return err
 	}

 	spec.TaskTemplate.ContainerSpec.Configs = updatedConfigs

+	// set the credential spec value after get the updated configs, because we
+	// might need the updated configs to set the correct value of the
+	// CredentialSpec.
+	updateCredSpecConfig(flags, spec.TaskTemplate.ContainerSpec)
+
 	// only send auth if flag was set
 	sendAuth, err := flags.GetBool(flagRegistryAuth)
 	if err != nil {
@ -731,20 +736,56 @@ func getUpdatedSecrets(apiClient client.SecretAPIClient, flags *pflag.FlagSet, s
 	return newSecrets, nil
 }

-func getUpdatedConfigs(apiClient client.ConfigAPIClient, flags *pflag.FlagSet, configs []*swarm.ConfigReference) ([]*swarm.ConfigReference, error) {
-	newConfigs := []*swarm.ConfigReference{}
+func getUpdatedConfigs(apiClient client.ConfigAPIClient, flags *pflag.FlagSet, spec *swarm.ContainerSpec) ([]*swarm.ConfigReference, error) {
+	var (
+		// credSpecConfigName stores the name of the config specified by the
+		// credential-spec flag. if a Runtime target Config with this name is
+		// already in the containerSpec, then this value will be set to
+		// emptystring in the removeConfigs stage. otherwise, a ConfigReference
+		// will be created to pass to ParseConfigs to get the ConfigID.
+		credSpecConfigName string
+		// credSpecConfigID stores the ID of the credential spec config if that
+		// config is being carried over from the old set of references
+		credSpecConfigID string
+	)

-	toRemove := buildToRemoveSet(flags, flagConfigRemove)
-	for _, config := range configs {
-		if _, exists := toRemove[config.ConfigName]; !exists {
-			newConfigs = append(newConfigs, config)
+	if flags.Changed(flagCredentialSpec) {
+		credSpec := flags.Lookup(flagCredentialSpec).Value.(*credentialSpecOpt).Value()
+		credSpecConfigName = credSpec.Config
+	} else {
+		// if the credential spec flag has not changed, then check if there
+		// already is a credentialSpec. if there is one, and it's for a Config,
+		// then it's from the old object, and its value is the config ID. we
+		// need this so we don't remove the config if the credential spec is
+		// not being updated.
+		if spec.Privileges != nil && spec.Privileges.CredentialSpec != nil {
+			if config := spec.Privileges.CredentialSpec.Config; config != "" {
+				credSpecConfigID = config
+			}
 		}
 	}

-	if flags.Changed(flagConfigAdd) {
-		values := flags.Lookup(flagConfigAdd).Value.(*opts.ConfigOpt).Value()
+	newConfigs := removeConfigs(flags, spec, credSpecConfigName, credSpecConfigID)

-		addConfigs, err := ParseConfigs(apiClient, values)
+	// resolveConfigs is a slice of any new configs that need to have the ID
+	// resolved
+	resolveConfigs := []*swarm.ConfigReference{}
+
+	if flags.Changed(flagConfigAdd) {
+		resolveConfigs = append(resolveConfigs, flags.Lookup(flagConfigAdd).Value.(*opts.ConfigOpt).Value()...)
+	}
+
+	// if credSpecConfigNameis non-empty at this point, it means its a new
+	// config, and we need to resolve its ID accordingly.
+	if credSpecConfigName != "" {
+		resolveConfigs = append(resolveConfigs, &swarm.ConfigReference{
+			ConfigName: credSpecConfigName,
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		})
+	}
+
+	if len(resolveConfigs) > 0 {
+		addConfigs, err := ParseConfigs(apiClient, resolveConfigs)
 		if err != nil {
 			return nil, err
 		}
@ -754,6 +795,42 @@ func getUpdatedConfigs(apiClient client.ConfigAPIClient, flags *pflag.FlagSet, c
 	return newConfigs, nil
 }

+// removeConfigs figures out which configs in the existing spec should be kept
+// after the update.
+func removeConfigs(flags *pflag.FlagSet, spec *swarm.ContainerSpec, credSpecName, credSpecID string) []*swarm.ConfigReference {
+	keepConfigs := []*swarm.ConfigReference{}
+
+	toRemove := buildToRemoveSet(flags, flagConfigRemove)
+	// all configs in spec.Configs should have both a Name and ID, because
+	// they come from an already-accepted spec.
+	for _, config := range spec.Configs {
+		// if the config is a Runtime target, make sure it's still in use right
+		// now, the only use for Runtime target is credential specs.  if, in
+		// the future, more uses are added, then this check will need to be
+		// made more intelligent.
+		if config.Runtime != nil {
+			// if we're carrying over a credential spec explicitly (because the
+			// user passed --credential-spec with the same config name) then we
+			// should match on credSpecName. if we're carrying over a
+			// credential spec implicitly (because the user did not pass any
+			// --credential-spec flag) then we should match on credSpecID. in
+			// either case, we're keeping the config that already exists.
+			if config.ConfigName == credSpecName || config.ConfigID == credSpecID {
+				keepConfigs = append(keepConfigs, config)
+			}
+			// continue the loop, to skip the part where we check if the config
+			// is in toRemove.
+			continue
+		}
+
+		if _, exists := toRemove[config.ConfigName]; !exists {
+			keepConfigs = append(keepConfigs, config)
+		}
+	}
+
+	return keepConfigs
+}
+
 func envKey(value string) string {
 	kv := strings.SplitN(value, "=", 2)
 	return kv[0]
@ -1220,3 +1297,48 @@ func updateNetworks(ctx context.Context, apiClient client.NetworkAPIClient, flag
 	spec.TaskTemplate.Networks = newNetworks
 	return nil
 }
+
+// updateCredSpecConfig updates the value of the credential spec Config field
+// to the config ID if the credential spec has changed. it mutates the passed
+// spec. it does not handle the case where the credential spec specifies a
+// config that does not exist -- that case is handled as part of
+// getUpdatedConfigs
+func updateCredSpecConfig(flags *pflag.FlagSet, containerSpec *swarm.ContainerSpec) {
+	if flags.Changed(flagCredentialSpec) {
+		credSpecOpt := flags.Lookup(flagCredentialSpec)
+		// if the flag has changed, and the value is empty string, then we
+		// should remove any credential spec that might be present
+		if credSpecOpt.Value.String() == "" {
+			if containerSpec.Privileges != nil {
+				containerSpec.Privileges.CredentialSpec = nil
+			}
+			return
+		}
+
+		// otherwise, set the credential spec to be the parsed value
+		credSpec := credSpecOpt.Value.(*credentialSpecOpt).Value()
+
+		// if this is a Config credential spec, we we still need to replace the
+		// value of credSpec.Config with the config ID instead of Name.
+		if credSpec.Config != "" {
+			for _, config := range containerSpec.Configs {
+				// if the config name matches, then set the config ID. we do
+				// not need to worry about if this is a Runtime target or not.
+				// even if it is not a Runtime target, getUpdatedConfigs
+				// ensures that a Runtime target for this config exists, and
+				// the Name is unique so the ID is correct no matter the
+				// target.
+				if config.ConfigName == credSpec.Config {
+					credSpec.Config = config.ConfigID
+					break
+				}
+			}
+		}
+
+		if containerSpec.Privileges == nil {
+			containerSpec.Privileges = &swarm.Privileges{}
+		}
+
+		containerSpec.Privileges.CredentialSpec = credSpec
+	}
+}
--- a/cli/command/service/update_test.go
+++ b/cli/command/service/update_test.go
@ -925,3 +925,326 @@ func TestUpdateSysCtls(t *testing.T) {
 		})
 	}
 }
+
+func TestUpdateGetUpdatedConfigs(t *testing.T) {
+	// cannedConfigs is a set of configs that we'll use over and over in the
+	// tests. it's a map of Name to Config
+	cannedConfigs := map[string]*swarm.Config{
+		"bar": {
+			ID: "barID",
+			Spec: swarm.ConfigSpec{
+				Annotations: swarm.Annotations{
+					Name: "bar",
+				},
+			},
+		},
+		"cred": {
+			ID: "credID",
+			Spec: swarm.ConfigSpec{
+				Annotations: swarm.Annotations{
+					Name: "cred",
+				},
+			},
+		},
+		"newCred": {
+			ID: "newCredID",
+			Spec: swarm.ConfigSpec{
+				Annotations: swarm.Annotations{
+					Name: "newCred",
+				},
+			},
+		},
+	}
+	// cannedConfigRefs is the same thing, but with config references instead
+	// instead of ID, however, it just maps an arbitrary string value. this is
+	// so we could have multiple config refs using the same config
+	cannedConfigRefs := map[string]*swarm.ConfigReference{
+		"fooRef": {
+			ConfigID:   "fooID",
+			ConfigName: "foo",
+			File: &swarm.ConfigReferenceFileTarget{
+				Name: "foo",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0444,
+			},
+		},
+		"barRef": {
+			ConfigID:   "barID",
+			ConfigName: "bar",
+			File: &swarm.ConfigReferenceFileTarget{
+				Name: "bar",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0444,
+			},
+		},
+		"bazRef": {
+			ConfigID:   "bazID",
+			ConfigName: "baz",
+			File: &swarm.ConfigReferenceFileTarget{
+				Name: "baz",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0444,
+			},
+		},
+		"credRef": {
+			ConfigID:   "credID",
+			ConfigName: "cred",
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		},
+		"newCredRef": {
+			ConfigID:   "newCredID",
+			ConfigName: "newCred",
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		},
+	}
+
+	type flagVal [2]string
+	type test struct {
+		// the name of the subtest
+		name string
+		// flags are the flags we'll be setting
+		flags []flagVal
+		// oldConfigs are the configs that would already be on the service
+		// it is a slice of strings corresponding to the the key of
+		// cannedConfigRefs
+		oldConfigs []string
+		// oldCredSpec is the credentialSpec being carried over from the old
+		// object
+		oldCredSpec *swarm.CredentialSpec
+		// lookupConfigs are the configs we're expecting to be listed. it is a
+		// slice of strings corresponding to the key of cannedConfigs
+		lookupConfigs []string
+		// expected is the configs we should get as a result. it is a slice of
+		// strings corresponding to the key in cannedConfigRefs
+		expected []string
+	}
+
+	testCases := []test{
+		{
+			name:       "no configs added or removed",
+			oldConfigs: []string{"fooRef"},
+			expected:   []string{"fooRef"},
+		}, {
+			name:          "add a config",
+			flags:         []flagVal{{"config-add", "bar"}},
+			oldConfigs:    []string{"fooRef"},
+			lookupConfigs: []string{"bar"},
+			expected:      []string{"fooRef", "barRef"},
+		}, {
+			name:       "remove a config",
+			flags:      []flagVal{{"config-rm", "bar"}},
+			oldConfigs: []string{"fooRef", "barRef"},
+			expected:   []string{"fooRef"},
+		}, {
+			name:        "include an old credential spec",
+			oldConfigs:  []string{"credRef"},
+			oldCredSpec: &swarm.CredentialSpec{Config: "credID"},
+			expected:    []string{"credRef"},
+		}, {
+			name:          "add a credential spec",
+			oldConfigs:    []string{"fooRef"},
+			flags:         []flagVal{{"credential-spec", "config://cred"}},
+			lookupConfigs: []string{"cred"},
+			expected:      []string{"fooRef", "credRef"},
+		}, {
+			name:          "change a credential spec",
+			oldConfigs:    []string{"fooRef", "credRef"},
+			oldCredSpec:   &swarm.CredentialSpec{Config: "credID"},
+			flags:         []flagVal{{"credential-spec", "config://newCred"}},
+			lookupConfigs: []string{"newCred"},
+			expected:      []string{"fooRef", "newCredRef"},
+		}, {
+			name:          "credential spec no longer config",
+			oldConfigs:    []string{"fooRef", "credRef"},
+			oldCredSpec:   &swarm.CredentialSpec{Config: "credID"},
+			flags:         []flagVal{{"credential-spec", "file://someFile"}},
+			lookupConfigs: []string{},
+			expected:      []string{"fooRef"},
+		}, {
+			name:          "credential spec becomes config",
+			oldConfigs:    []string{"fooRef"},
+			oldCredSpec:   &swarm.CredentialSpec{File: "someFile"},
+			flags:         []flagVal{{"credential-spec", "config://cred"}},
+			lookupConfigs: []string{"cred"},
+			expected:      []string{"fooRef", "credRef"},
+		}, {
+			name:          "remove credential spec",
+			oldConfigs:    []string{"fooRef", "credRef"},
+			oldCredSpec:   &swarm.CredentialSpec{Config: "credID"},
+			flags:         []flagVal{{"credential-spec", ""}},
+			lookupConfigs: []string{},
+			expected:      []string{"fooRef"},
+		}, {
+			name: "just frick my stuff up",
+			// a more complicated test. add barRef, remove bazRef, keep fooRef,
+			// change credentialSpec from credRef to newCredRef
+			oldConfigs:  []string{"fooRef", "bazRef", "credRef"},
+			oldCredSpec: &swarm.CredentialSpec{Config: "cred"},
+			flags: []flagVal{
+				{"config-add", "bar"},
+				{"config-rm", "baz"},
+				{"credential-spec", "config://newCred"},
+			},
+			lookupConfigs: []string{"bar", "newCred"},
+			expected:      []string{"fooRef", "barRef", "newCredRef"},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			flags := newUpdateCommand(nil).Flags()
+			for _, f := range tc.flags {
+				flags.Set(f[0], f[1])
+			}
+
+			// fakeConfigAPIClientList is actually defined in create_test.go,
+			// but we'll use it here as well
+			var fakeClient fakeConfigAPIClientList = func(_ context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+				names := opts.Filters.Get("name")
+				assert.Equal(t, len(names), len(tc.lookupConfigs))
+
+				configs := []swarm.Config{}
+				for _, lookup := range tc.lookupConfigs {
+					assert.Assert(t, is.Contains(names, lookup))
+					cfg, ok := cannedConfigs[lookup]
+					assert.Assert(t, ok)
+					configs = append(configs, *cfg)
+				}
+				return configs, nil
+			}
+
+			// build the actual set of old configs and the container spec
+			oldConfigs := []*swarm.ConfigReference{}
+			for _, config := range tc.oldConfigs {
+				cfg, ok := cannedConfigRefs[config]
+				assert.Assert(t, ok)
+				oldConfigs = append(oldConfigs, cfg)
+			}
+
+			containerSpec := &swarm.ContainerSpec{
+				Configs: oldConfigs,
+				Privileges: &swarm.Privileges{
+					CredentialSpec: tc.oldCredSpec,
+				},
+			}
+
+			finalConfigs, err := getUpdatedConfigs(fakeClient, flags, containerSpec)
+			assert.NilError(t, err)
+
+			// ensure that the finalConfigs consists of all of the expected
+			// configs
+			assert.Equal(t, len(finalConfigs), len(tc.expected),
+				"%v final configs, %v expected",
+				len(finalConfigs), len(tc.expected),
+			)
+			for _, expected := range tc.expected {
+				assert.Assert(t, is.Contains(finalConfigs, cannedConfigRefs[expected]))
+			}
+		})
+	}
+}
+
+func TestUpdateCredSpec(t *testing.T) {
+	type testCase struct {
+		// name is the name of the subtest
+		name string
+		// flagVal is the value we're setting flagCredentialSpec to
+		flagVal string
+		// spec is the existing serviceSpec with its configs
+		spec *swarm.ContainerSpec
+		// expected is the expected value of the credential spec after the
+		// function. it may be nil
+		expected *swarm.CredentialSpec
+	}
+
+	testCases := []testCase{
+		{
+			name:     "add file credential spec",
+			flagVal:  "file://somefile",
+			spec:     &swarm.ContainerSpec{},
+			expected: &swarm.CredentialSpec{File: "somefile"},
+		}, {
+			name:    "remove a file credential spec",
+			flagVal: "",
+			spec: &swarm.ContainerSpec{
+				Privileges: &swarm.Privileges{
+					CredentialSpec: &swarm.CredentialSpec{
+						File: "someFile",
+					},
+				},
+			},
+			expected: nil,
+		}, {
+			name:     "remove when no CredentialSpec exists",
+			flagVal:  "",
+			spec:     &swarm.ContainerSpec{},
+			expected: nil,
+		}, {
+			name:    "add a config credenital spec",
+			flagVal: "config://someConfigName",
+			spec: &swarm.ContainerSpec{
+				Configs: []*swarm.ConfigReference{
+					{
+						ConfigName: "someConfigName",
+						ConfigID:   "someConfigID",
+						Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+					},
+				},
+			},
+			expected: &swarm.CredentialSpec{
+				Config: "someConfigID",
+			},
+		}, {
+			name:    "remove a config credential spec",
+			flagVal: "",
+			spec: &swarm.ContainerSpec{
+				Privileges: &swarm.Privileges{
+					CredentialSpec: &swarm.CredentialSpec{
+						Config: "someConfigID",
+					},
+				},
+			},
+			expected: nil,
+		}, {
+			name:    "update a config credential spec",
+			flagVal: "config://someConfigName",
+			spec: &swarm.ContainerSpec{
+				Configs: []*swarm.ConfigReference{
+					{
+						ConfigName: "someConfigName",
+						ConfigID:   "someConfigID",
+						Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+					},
+				},
+				Privileges: &swarm.Privileges{
+					CredentialSpec: &swarm.CredentialSpec{
+						Config: "someDifferentConfigID",
+					},
+				},
+			},
+			expected: &swarm.CredentialSpec{
+				Config: "someConfigID",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			flags := newUpdateCommand(nil).Flags()
+			flags.Set(flagCredentialSpec, tc.flagVal)
+
+			updateCredSpecConfig(flags, tc.spec)
+			// handle the case where tc.spec.Privileges is nil
+			if tc.expected == nil {
+				assert.Assert(t, tc.spec.Privileges == nil || tc.spec.Privileges.CredentialSpec == nil)
+				return
+			}
+
+			assert.Assert(t, tc.spec.Privileges != nil)
+			assert.DeepEqual(t, tc.spec.Privileges.CredentialSpec, tc.expected)
+		})
+	}
+}
--- a/cli/command/stack/kubernetes/convert.go
+++ b/cli/command/stack/kubernetes/convert.go
@ -14,16 +14,17 @@ import (
 	latest "github.com/docker/compose-on-kubernetes/api/compose/v1alpha3"
 	"github.com/docker/compose-on-kubernetes/api/compose/v1beta1"
 	"github.com/docker/compose-on-kubernetes/api/compose/v1beta2"
+	"github.com/docker/go-connections/nat"
+	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 	yaml "gopkg.in/yaml.v2"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

 const (
-	// pullSecretExtraField is an extra field on ServiceConfigs usable to reference a pull secret
-	pullSecretExtraField = "x-pull-secret"
-	// pullPolicyExtraField is an extra field on ServiceConfigs usable to specify a pull policy
-	pullPolicyExtraField = "x-pull-policy"
+	// kubernatesExtraField is an extra field on ServiceConfigs containing kubernetes-specific extensions to compose format
+	kubernatesExtraField = "x-kubernetes"
 )

 // NewStackConverter returns a converter from types.Config (compose) to the specified
@ -245,10 +246,8 @@ func fromComposeConfigs(s map[string]composeTypes.ConfigObjConfig) map[string]la

 func fromComposeServiceConfig(s composeTypes.ServiceConfig, capabilities composeCapabilities) (latest.ServiceConfig, error) {
 	var (
-		userID     *int64
-		pullSecret string
-		pullPolicy string
-		err        error
+		userID *int64
+		err    error
 	)
 	if s.User != "" {
 		numerical, err := strconv.Atoi(s.User)
@ -257,20 +256,22 @@ func fromComposeServiceConfig(s composeTypes.ServiceConfig, capabilities compose
 			userID = &unixUserID
 		}
 	}
-	pullSecret, err = resolveServiceExtra(s, pullSecretExtraField)
+	kubeExtra, err := resolveServiceExtra(s)
 	if err != nil {
 		return latest.ServiceConfig{}, err
 	}
-	pullPolicy, err = resolveServiceExtra(s, pullPolicyExtraField)
+	if kubeExtra.PullSecret != "" && !capabilities.hasPullSecrets {
+		return latest.ServiceConfig{}, errors.Errorf(`stack API version %s does not support pull secrets (field "x-kubernetes.pull_secret"), please use version v1alpha3 or higher`, capabilities.apiVersion)
+	}
+	if kubeExtra.PullPolicy != "" && !capabilities.hasPullPolicies {
+		return latest.ServiceConfig{}, errors.Errorf(`stack API version %s does not support pull policies (field "x-kubernetes.pull_policy"), please use version v1alpha3 or higher`, capabilities.apiVersion)
+	}
+
+	internalPorts, err := setupIntraStackNetworking(s, kubeExtra, capabilities)
 	if err != nil {
 		return latest.ServiceConfig{}, err
 	}
-	if pullSecret != "" && !capabilities.hasPullSecrets {
-		return latest.ServiceConfig{}, errors.Errorf("stack API version %s does not support pull secrets (field %q), please use version v1alpha3 or higher", capabilities.apiVersion, pullSecretExtraField)
-	}
-	if pullPolicy != "" && !capabilities.hasPullPolicies {
-		return latest.ServiceConfig{}, errors.Errorf("stack API version %s does not support pull policies (field %q), please use version v1alpha3 or higher", capabilities.apiVersion, pullPolicyExtraField)
-	}
+
 	return latest.ServiceConfig{
 		Name:    s.Name,
 		CapAdd:  s.CapAdd,
@ -286,40 +287,96 @@ func fromComposeServiceConfig(s composeTypes.ServiceConfig, capabilities compose
 			RestartPolicy: fromComposeRestartPolicy(s.Deploy.RestartPolicy),
 			Placement:     fromComposePlacement(s.Deploy.Placement),
 		},
-		Entrypoint:      s.Entrypoint,
-		Environment:     s.Environment,
-		ExtraHosts:      s.ExtraHosts,
-		Hostname:        s.Hostname,
-		HealthCheck:     fromComposeHealthcheck(s.HealthCheck),
-		Image:           s.Image,
-		Ipc:             s.Ipc,
-		Labels:          s.Labels,
-		Pid:             s.Pid,
-		Ports:           fromComposePorts(s.Ports),
-		Privileged:      s.Privileged,
-		ReadOnly:        s.ReadOnly,
-		Secrets:         fromComposeServiceSecrets(s.Secrets),
-		StdinOpen:       s.StdinOpen,
-		StopGracePeriod: composetypes.ConvertDurationPtr(s.StopGracePeriod),
-		Tmpfs:           s.Tmpfs,
-		Tty:             s.Tty,
-		User:            userID,
-		Volumes:         fromComposeServiceVolumeConfig(s.Volumes),
-		WorkingDir:      s.WorkingDir,
-		PullSecret:      pullSecret,
-		PullPolicy:      pullPolicy,
+		Entrypoint:          s.Entrypoint,
+		Environment:         s.Environment,
+		ExtraHosts:          s.ExtraHosts,
+		Hostname:            s.Hostname,
+		HealthCheck:         fromComposeHealthcheck(s.HealthCheck),
+		Image:               s.Image,
+		Ipc:                 s.Ipc,
+		Labels:              s.Labels,
+		Pid:                 s.Pid,
+		Ports:               fromComposePorts(s.Ports),
+		Privileged:          s.Privileged,
+		ReadOnly:            s.ReadOnly,
+		Secrets:             fromComposeServiceSecrets(s.Secrets),
+		StdinOpen:           s.StdinOpen,
+		StopGracePeriod:     composetypes.ConvertDurationPtr(s.StopGracePeriod),
+		Tmpfs:               s.Tmpfs,
+		Tty:                 s.Tty,
+		User:                userID,
+		Volumes:             fromComposeServiceVolumeConfig(s.Volumes),
+		WorkingDir:          s.WorkingDir,
+		PullSecret:          kubeExtra.PullSecret,
+		PullPolicy:          kubeExtra.PullPolicy,
+		InternalServiceType: kubeExtra.InternalServiceType,
+		InternalPorts:       internalPorts,
 	}, nil
 }

-func resolveServiceExtra(s composeTypes.ServiceConfig, field string) (string, error) {
-	if iface, ok := s.Extras[field]; ok {
-		value, ok := iface.(string)
-		if !ok {
-			return "", errors.Errorf("field %q: value %v type is %T, should be a string", field, iface, iface)
-		}
-		return value, nil
+func setupIntraStackNetworking(s composeTypes.ServiceConfig, kubeExtra kubernetesExtra, capabilities composeCapabilities) ([]latest.InternalPort, error) {
+	if kubeExtra.InternalServiceType != latest.InternalServiceTypeAuto && !capabilities.hasIntraStackLoadBalancing {
+		return nil,
+			errors.Errorf(`stack API version %s does not support intra-stack load balancing (field "x-kubernetes.internal_service_type"), please use version v1alpha3 or higher`,
+				capabilities.apiVersion)
 	}
-	return "", nil
+	if !capabilities.hasIntraStackLoadBalancing {
+		return nil, nil
+	}
+	if err := validateInternalServiceType(kubeExtra.InternalServiceType); err != nil {
+		return nil, err
+	}
+	internalPorts, err := toInternalPorts(s.Expose)
+	if err != nil {
+		return nil, err
+	}
+	return internalPorts, nil
+}
+
+func validateInternalServiceType(internalServiceType latest.InternalServiceType) error {
+	switch internalServiceType {
+	case latest.InternalServiceTypeAuto, latest.InternalServiceTypeClusterIP, latest.InternalServiceTypeHeadless:
+	default:
+		return errors.Errorf(`invalid value %q for field "x-kubernetes.internal_service_type", valid values are %q or %q`, internalServiceType,
+			latest.InternalServiceTypeClusterIP,
+			latest.InternalServiceTypeHeadless)
+	}
+	return nil
+}
+
+func toInternalPorts(expose []string) ([]latest.InternalPort, error) {
+	var internalPorts []latest.InternalPort
+	for _, sourcePort := range expose {
+		proto, port := nat.SplitProtoPort(sourcePort)
+		start, end, err := nat.ParsePortRange(port)
+		if err != nil {
+			return nil, errors.Errorf("invalid format for expose: %q, error: %s", sourcePort, err)
+		}
+		for i := start; i <= end; i++ {
+			k8sProto := v1.Protocol(strings.ToUpper(proto))
+			switch k8sProto {
+			case v1.ProtocolSCTP, v1.ProtocolTCP, v1.ProtocolUDP:
+			default:
+				return nil, errors.Errorf("invalid protocol for expose: %q, supported values are %q, %q and %q", sourcePort, v1.ProtocolSCTP, v1.ProtocolTCP, v1.ProtocolUDP)
+			}
+			internalPorts = append(internalPorts, latest.InternalPort{
+				Port:     int32(i),
+				Protocol: k8sProto,
+			})
+		}
+	}
+	return internalPorts, nil
+}
+
+func resolveServiceExtra(s composeTypes.ServiceConfig) (kubernetesExtra, error) {
+	if iface, ok := s.Extras[kubernatesExtraField]; ok {
+		var result kubernetesExtra
+		if err := mapstructure.Decode(iface, &result); err != nil {
+			return kubernetesExtra{}, err
+		}
+		return result, nil
+	}
+	return kubernetesExtra{}, nil
 }

 func fromComposePorts(ports []composeTypes.ServicePortConfig) []latest.ServicePortConfig {
@ -489,14 +546,22 @@ var (
 		apiVersion: "v1beta2",
 	}
 	v1alpha3Capabilities = composeCapabilities{
-		apiVersion:      "v1alpha3",
-		hasPullSecrets:  true,
-		hasPullPolicies: true,
+		apiVersion:                 "v1alpha3",
+		hasPullSecrets:             true,
+		hasPullPolicies:            true,
+		hasIntraStackLoadBalancing: true,
 	}
 )

 type composeCapabilities struct {
-	apiVersion      string
-	hasPullSecrets  bool
-	hasPullPolicies bool
+	apiVersion                 string
+	hasPullSecrets             bool
+	hasPullPolicies            bool
+	hasIntraStackLoadBalancing bool
+}
+
+type kubernetesExtra struct {
+	PullSecret          string                     `mapstructure:"pull_secret"`
+	PullPolicy          string                     `mapstructure:"pull_policy"`
+	InternalServiceType latest.InternalServiceType `mapstructure:"internal_service_type"`
 }
--- a/cli/command/stack/kubernetes/convert_test.go
+++ b/cli/command/stack/kubernetes/convert_test.go
@ -13,6 +13,7 @@ import (
 	"github.com/docker/compose-on-kubernetes/api/compose/v1beta2"
 	"gotest.tools/assert"
 	is "gotest.tools/assert/cmp"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

@ -188,8 +189,8 @@ func TestHandlePullSecret(t *testing.T) {
 		version string
 		err     string
 	}{
-		{version: "v1beta1", err: `stack API version v1beta1 does not support pull secrets (field "x-pull-secret"), please use version v1alpha3 or higher`},
-		{version: "v1beta2", err: `stack API version v1beta2 does not support pull secrets (field "x-pull-secret"), please use version v1alpha3 or higher`},
+		{version: "v1beta1", err: `stack API version v1beta1 does not support pull secrets (field "x-kubernetes.pull_secret"), please use version v1alpha3 or higher`},
+		{version: "v1beta2", err: `stack API version v1beta2 does not support pull secrets (field "x-kubernetes.pull_secret"), please use version v1alpha3 or higher`},
 		{version: "v1alpha3"},
 	}

@ -215,8 +216,8 @@ func TestHandlePullPolicy(t *testing.T) {
 		version string
 		err     string
 	}{
-		{version: "v1beta1", err: `stack API version v1beta1 does not support pull policies (field "x-pull-policy"), please use version v1alpha3 or higher`},
-		{version: "v1beta2", err: `stack API version v1beta2 does not support pull policies (field "x-pull-policy"), please use version v1alpha3 or higher`},
+		{version: "v1beta1", err: `stack API version v1beta1 does not support pull policies (field "x-kubernetes.pull_policy"), please use version v1alpha3 or higher`},
+		{version: "v1beta2", err: `stack API version v1beta2 does not support pull policies (field "x-kubernetes.pull_policy"), please use version v1alpha3 or higher`},
 		{version: "v1alpha3"},
 	}

@ -235,3 +236,111 @@ func TestHandlePullPolicy(t *testing.T) {
 		})
 	}
 }
+
+func TestHandleInternalServiceType(t *testing.T) {
+	cases := []struct {
+		name     string
+		value    string
+		caps     composeCapabilities
+		err      string
+		expected v1alpha3.InternalServiceType
+	}{
+		{
+			name:  "v1beta1",
+			value: "ClusterIP",
+			caps:  v1beta1Capabilities,
+			err:   `stack API version v1beta1 does not support intra-stack load balancing (field "x-kubernetes.internal_service_type"), please use version v1alpha3 or higher`,
+		},
+		{
+			name:  "v1beta2",
+			value: "ClusterIP",
+			caps:  v1beta2Capabilities,
+			err:   `stack API version v1beta2 does not support intra-stack load balancing (field "x-kubernetes.internal_service_type"), please use version v1alpha3 or higher`,
+		},
+		{
+			name:     "v1alpha3",
+			value:    "ClusterIP",
+			caps:     v1alpha3Capabilities,
+			expected: v1alpha3.InternalServiceTypeClusterIP,
+		},
+		{
+			name:  "v1alpha3-invalid",
+			value: "invalid",
+			caps:  v1alpha3Capabilities,
+			err:   `invalid value "invalid" for field "x-kubernetes.internal_service_type", valid values are "ClusterIP" or "Headless"`,
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			res, err := fromComposeServiceConfig(composetypes.ServiceConfig{
+				Name:  "test",
+				Image: "test",
+				Extras: map[string]interface{}{
+					"x-kubernetes": map[string]interface{}{
+						"internal_service_type": c.value,
+					},
+				},
+			}, c.caps)
+			if c.err == "" {
+				assert.NilError(t, err)
+				assert.Equal(t, res.InternalServiceType, c.expected)
+			} else {
+				assert.ErrorContains(t, err, c.err)
+			}
+		})
+	}
+}
+
+func TestIgnoreExpose(t *testing.T) {
+	testData := loadTestStackWith(t, "expose")
+	for _, version := range []string{"v1beta1", "v1beta2"} {
+		conv, err := NewStackConverter(version)
+		assert.NilError(t, err)
+		s, err := conv.FromCompose(ioutil.Discard, "test", testData)
+		assert.NilError(t, err)
+		assert.Equal(t, len(s.Spec.Services[0].InternalPorts), 0)
+	}
+}
+
+func TestParseExpose(t *testing.T) {
+	testData := loadTestStackWith(t, "expose")
+	conv, err := NewStackConverter("v1alpha3")
+	assert.NilError(t, err)
+	s, err := conv.FromCompose(ioutil.Discard, "test", testData)
+	assert.NilError(t, err)
+	expected := []v1alpha3.InternalPort{
+		{
+			Port:     1,
+			Protocol: v1.ProtocolTCP,
+		},
+		{
+			Port:     2,
+			Protocol: v1.ProtocolTCP,
+		},
+		{
+			Port:     3,
+			Protocol: v1.ProtocolTCP,
+		},
+		{
+			Port:     4,
+			Protocol: v1.ProtocolTCP,
+		},
+		{
+			Port:     5,
+			Protocol: v1.ProtocolUDP,
+		},
+		{
+			Port:     6,
+			Protocol: v1.ProtocolUDP,
+		},
+		{
+			Port:     7,
+			Protocol: v1.ProtocolUDP,
+		},
+		{
+			Port:     8,
+			Protocol: v1.ProtocolUDP,
+		},
+	}
+	assert.DeepEqual(t, s.Spec.Services[0].InternalPorts, expected)
+}
--- a/cli/command/stack/kubernetes/testdata/compose-with-expose.yml
+++ b/cli/command/stack/kubernetes/testdata/compose-with-expose.yml
@ -0,0 +1,9 @@
+version: "3.7"
+services:
+  test:
+    image: "some-image"
+    expose:
+    - "1" # default protocol, single port
+    - "2-4" # default protocol, port range
+    - "5/udp" # specific protocol, single port
+    - "6-8/udp" # specific protocol, port range
--- a/cli/command/stack/kubernetes/testdata/compose-with-pull-policy.yml
+++ b/cli/command/stack/kubernetes/testdata/compose-with-pull-policy.yml
@ -2,4 +2,5 @@ version: "3.7"
 services:
  test:
    image: "some-image"
-    x-pull-policy: "Never"
+    x-kubernetes:
+      pull_policy: "Never"
--- a/cli/command/stack/kubernetes/testdata/compose-with-pull-secret.yml
+++ b/cli/command/stack/kubernetes/testdata/compose-with-pull-secret.yml
@ -2,4 +2,5 @@ version: "3.7"
 services:
  test:
    image: "some-private-image"
-    x-pull-secret: "some-secret"
+    x-kubernetes:
+      pull_secret: "some-secret"
--- a/cli/command/utils.go
+++ b/cli/command/utils.go
@ -161,3 +161,34 @@ func ValidateOutputPathFileMode(fileMode os.FileMode) error {
 	}
 	return nil
 }
+
+func stringSliceIndex(s, subs []string) int {
+	j := 0
+	if len(subs) > 0 {
+		for i, x := range s {
+			if j < len(subs) && subs[j] == x {
+				j++
+			} else {
+				j = 0
+			}
+			if len(subs) == j {
+				return i + 1 - j
+			}
+		}
+	}
+	return -1
+}
+
+// StringSliceReplaceAt replaces the sub-slice old, with the sub-slice new, in the string
+// slice s, returning a new slice and a boolean indicating if the replacement happened.
+// requireIdx is the index at which old needs to be found at (or -1 to disregard that).
+func StringSliceReplaceAt(s, old, new []string, requireIndex int) ([]string, bool) {
+	idx := stringSliceIndex(s, old)
+	if (requireIndex != -1 && requireIndex != idx) || idx == -1 {
+		return s, false
+	}
+	out := append([]string{}, s[:idx]...)
+	out = append(out, new...)
+	out = append(out, s[idx+len(old):]...)
+	return out, true
+}
--- a/cli/command/utils_test.go
+++ b/cli/command/utils_test.go
@ -0,0 +1,33 @@
+package command
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+func TestStringSliceReplaceAt(t *testing.T) {
+	out, ok := StringSliceReplaceAt([]string{"abc", "foo", "bar", "bax"}, []string{"foo", "bar"}, []string{"baz"}, -1)
+	assert.Assert(t, ok)
+	assert.DeepEqual(t, []string{"abc", "baz", "bax"}, out)
+
+	out, ok = StringSliceReplaceAt([]string{"foo"}, []string{"foo", "bar"}, []string{"baz"}, -1)
+	assert.Assert(t, !ok)
+	assert.DeepEqual(t, []string{"foo"}, out)
+
+	out, ok = StringSliceReplaceAt([]string{"abc", "foo", "bar", "bax"}, []string{"foo", "bar"}, []string{"baz"}, 0)
+	assert.Assert(t, !ok)
+	assert.DeepEqual(t, []string{"abc", "foo", "bar", "bax"}, out)
+
+	out, ok = StringSliceReplaceAt([]string{"foo", "bar", "bax"}, []string{"foo", "bar"}, []string{"baz"}, 0)
+	assert.Assert(t, ok)
+	assert.DeepEqual(t, []string{"baz", "bax"}, out)
+
+	out, ok = StringSliceReplaceAt([]string{"abc", "foo", "bar", "baz"}, []string{"foo", "bar"}, nil, -1)
+	assert.Assert(t, ok)
+	assert.DeepEqual(t, []string{"abc", "baz"}, out)
+
+	out, ok = StringSliceReplaceAt([]string{"foo"}, nil, []string{"baz"}, -1)
+	assert.Assert(t, !ok)
+	assert.DeepEqual(t, []string{"foo"}, out)
+}
--- a/cli/compose/convert/compose.go
+++ b/cli/compose/convert/compose.go
@ -106,11 +106,23 @@ func Secrets(namespace Namespace, secrets map[string]composetypes.SecretConfig)
 			continue
 		}

-		obj, err := fileObjectConfig(namespace, name, composetypes.FileObjectConfig(secret))
+		var obj swarmFileObject
+		var err error
+		if secret.Driver != "" {
+			obj, err = driverObjectConfig(namespace, name, composetypes.FileObjectConfig(secret))
+		} else {
+			obj, err = fileObjectConfig(namespace, name, composetypes.FileObjectConfig(secret))
+		}
 		if err != nil {
 			return nil, err
 		}
 		spec := swarm.SecretSpec{Annotations: obj.Annotations, Data: obj.Data}
+		if secret.Driver != "" {
+			spec.Driver = &swarm.Driver{
+				Name:    secret.Driver,
+				Options: secret.DriverOpts,
+			}
+		}
 		if secret.TemplateDriver != "" {
 			spec.Templating = &swarm.Driver{
 				Name: secret.TemplateDriver,
@ -149,6 +161,22 @@ type swarmFileObject struct {
 	Data        []byte
 }

+func driverObjectConfig(namespace Namespace, name string, obj composetypes.FileObjectConfig) (swarmFileObject, error) {
+	if obj.Name != "" {
+		name = obj.Name
+	} else {
+		name = namespace.Scope(name)
+	}
+
+	return swarmFileObject{
+		Annotations: swarm.Annotations{
+			Name:   name,
+			Labels: AddStackLabel(namespace, obj.Labels),
+		},
+		Data: []byte{},
+	}, nil
+}
+
 func fileObjectConfig(namespace Namespace, name string, obj composetypes.FileObjectConfig) (swarmFileObject, error) {
 	data, err := ioutil.ReadFile(obj.File)
 	if err != nil {
--- a/cli/compose/convert/service.go
+++ b/cli/compose/convert/service.go
@ -40,7 +40,7 @@ func Services(
 		if err != nil {
 			return nil, errors.Wrapf(err, "service %s", service.Name)
 		}
-		configs, err := convertServiceConfigObjs(client, namespace, service.Configs, config.Configs)
+		configs, err := convertServiceConfigObjs(client, namespace, service, config.Configs)
 		if err != nil {
 			return nil, errors.Wrapf(err, "service %s", service.Name)
 		}
@ -109,7 +109,9 @@ func Service(
 	}

 	var privileges swarm.Privileges
-	privileges.CredentialSpec, err = convertCredentialSpec(service.CredentialSpec)
+	privileges.CredentialSpec, err = convertCredentialSpec(
+		namespace, service.CredentialSpec, configs,
+	)
 	if err != nil {
 		return swarm.ServiceSpec{}, err
 	}
@ -286,11 +288,17 @@ func convertServiceSecrets(
 	return secrs, err
 }

+// convertServiceConfigObjs takes an API client, a namespace, a ServiceConfig,
+// and a set of compose Config specs, and creates the swarm ConfigReferences
+// required by the serivce. Unlike convertServiceSecrets, this takes the whole
+// ServiceConfig, because some Configs may be needed as a result of other
+// fields (like CredentialSpecs).
+//
 // TODO: fix configs API so that ConfigsAPIClient is not required here
 func convertServiceConfigObjs(
 	client client.ConfigAPIClient,
 	namespace Namespace,
-	configs []composetypes.ServiceConfigObjConfig,
+	service composetypes.ServiceConfig,
 	configSpecs map[string]composetypes.ConfigObjConfig,
 ) ([]*swarm.ConfigReference, error) {
 	refs := []*swarm.ConfigReference{}
@ -302,7 +310,7 @@ func convertServiceConfigObjs(
 		}
 		return composetypes.FileObjectConfig(configSpec), nil
 	}
-	for _, config := range configs {
+	for _, config := range service.Configs {
 		obj, err := convertFileObject(namespace, composetypes.FileReferenceConfig(config), lookup)
 		if err != nil {
 			return nil, err
@ -315,6 +323,38 @@ func convertServiceConfigObjs(
 		})
 	}

+	// finally, after converting all of the file objects, create any
+	// Runtime-type configs that are needed. these are configs that are not
+	// mounted into the container, but are used in some other way by the
+	// container runtime. Currently, this only means CredentialSpecs, but in
+	// the future it may be used for other fields
+
+	// grab the CredentialSpec out of the Service
+	credSpec := service.CredentialSpec
+	// if the credSpec uses a config, then we should grab the config name, and
+	// create a config reference for it. A File or Registry-type CredentialSpec
+	// does not need this operation.
+	if credSpec.Config != "" {
+		// look up the config in the configSpecs.
+		obj, err := lookup(credSpec.Config)
+		if err != nil {
+			return nil, err
+		}
+
+		// get the actual correct name.
+		name := namespace.Scope(credSpec.Config)
+		if obj.Name != "" {
+			name = obj.Name
+		}
+
+		// now append a Runtime-type config.
+		refs = append(refs, &swarm.ConfigReference{
+			ConfigName: name,
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		})
+
+	}
+
 	confs, err := servicecli.ParseConfigs(client, refs)
 	if err != nil {
 		return nil, err
@ -342,11 +382,6 @@ func convertFileObject(
 	config composetypes.FileReferenceConfig,
 	lookup func(key string) (composetypes.FileObjectConfig, error),
 ) (swarmReferenceObject, error) {
-	target := config.Target
-	if target == "" {
-		target = config.Source
-	}
-
 	obj, err := lookup(config.Source)
 	if err != nil {
 		return swarmReferenceObject{}, err
@ -357,6 +392,11 @@ func convertFileObject(
 		source = obj.Name
 	}

+	target := config.Target
+	if target == "" {
+		target = config.Source
+	}
+
 	uid := config.UID
 	gid := config.GID
 	if uid == "" {
@ -599,13 +639,46 @@ func convertDNSConfig(DNS []string, DNSSearch []string) (*swarm.DNSConfig, error
 	return nil, nil
 }

-func convertCredentialSpec(spec composetypes.CredentialSpecConfig) (*swarm.CredentialSpec, error) {
-	if spec.File == "" && spec.Registry == "" {
-		return nil, nil
+func convertCredentialSpec(namespace Namespace, spec composetypes.CredentialSpecConfig, refs []*swarm.ConfigReference) (*swarm.CredentialSpec, error) {
+	var o []string
+
+	// Config was added in API v1.40
+	if spec.Config != "" {
+		o = append(o, `"Config"`)
 	}
-	if spec.File != "" && spec.Registry != "" {
-		return nil, errors.New("Invalid credential spec - must provide one of `File` or `Registry`")
+	if spec.File != "" {
+		o = append(o, `"File"`)
+	}
+	if spec.Registry != "" {
+		o = append(o, `"Registry"`)
+	}
+	l := len(o)
+	switch {
+	case l == 0:
+		return nil, nil
+	case l == 2:
+		return nil, errors.Errorf("invalid credential spec: cannot specify both %s and %s", o[0], o[1])
+	case l > 2:
+		return nil, errors.Errorf("invalid credential spec: cannot specify both %s, and %s", strings.Join(o[:l-1], ", "), o[l-1])
 	}
 	swarmCredSpec := swarm.CredentialSpec(spec)
+	// if we're using a swarm Config for the credential spec, over-write it
+	// here with the config ID
+	if swarmCredSpec.Config != "" {
+		for _, config := range refs {
+			if swarmCredSpec.Config == config.ConfigName {
+				swarmCredSpec.Config = config.ConfigID
+				return &swarmCredSpec, nil
+			}
+		}
+		// if none of the configs match, try namespacing
+		for _, config := range refs {
+			if namespace.Scope(swarmCredSpec.Config) == config.ConfigName {
+				swarmCredSpec.Config = config.ConfigID
+				return &swarmCredSpec, nil
+			}
+		}
+		return nil, errors.Errorf("invalid credential spec: spec specifies config %v, but no such config can be found", swarmCredSpec.Config)
+	}
 	return &swarmCredSpec, nil
 }
--- a/cli/compose/convert/service_test.go
+++ b/cli/compose/convert/service_test.go
@ -314,30 +314,98 @@ func TestConvertDNSConfigSearch(t *testing.T) {
 }

 func TestConvertCredentialSpec(t *testing.T) {
-	swarmSpec, err := convertCredentialSpec(composetypes.CredentialSpecConfig{})
-	assert.NilError(t, err)
-	assert.Check(t, is.Nil(swarmSpec))
+	tests := []struct {
+		name        string
+		in          composetypes.CredentialSpecConfig
+		out         *swarm.CredentialSpec
+		configs     []*swarm.ConfigReference
+		expectedErr string
+	}{
+		{
+			name: "empty",
+		},
+		{
+			name:        "config-and-file",
+			in:          composetypes.CredentialSpecConfig{Config: "0bt9dmxjvjiqermk6xrop3ekq", File: "somefile.json"},
+			expectedErr: `invalid credential spec: cannot specify both "Config" and "File"`,
+		},
+		{
+			name:        "config-and-registry",
+			in:          composetypes.CredentialSpecConfig{Config: "0bt9dmxjvjiqermk6xrop3ekq", Registry: "testing"},
+			expectedErr: `invalid credential spec: cannot specify both "Config" and "Registry"`,
+		},
+		{
+			name:        "file-and-registry",
+			in:          composetypes.CredentialSpecConfig{File: "somefile.json", Registry: "testing"},
+			expectedErr: `invalid credential spec: cannot specify both "File" and "Registry"`,
+		},
+		{
+			name:        "config-and-file-and-registry",
+			in:          composetypes.CredentialSpecConfig{Config: "0bt9dmxjvjiqermk6xrop3ekq", File: "somefile.json", Registry: "testing"},
+			expectedErr: `invalid credential spec: cannot specify both "Config", "File", and "Registry"`,
+		},
+		{
+			name:        "missing-config-reference",
+			in:          composetypes.CredentialSpecConfig{Config: "missing"},
+			expectedErr: "invalid credential spec: spec specifies config missing, but no such config can be found",
+			configs: []*swarm.ConfigReference{
+				{
+					ConfigName: "someName",
+					ConfigID:   "missing",
+				},
+			},
+		},
+		{
+			name: "namespaced-config",
+			in:   composetypes.CredentialSpecConfig{Config: "name"},
+			configs: []*swarm.ConfigReference{
+				{
+					ConfigName: "namespaced-config_name",
+					ConfigID:   "someID",
+				},
+			},
+			out: &swarm.CredentialSpec{Config: "someID"},
+		},
+		{
+			name: "config",
+			in:   composetypes.CredentialSpecConfig{Config: "someName"},
+			configs: []*swarm.ConfigReference{
+				{
+					ConfigName: "someOtherName",
+					ConfigID:   "someOtherID",
+				}, {
+					ConfigName: "someName",
+					ConfigID:   "someID",
+				},
+			},
+			out: &swarm.CredentialSpec{Config: "someID"},
+		},
+		{
+			name: "file",
+			in:   composetypes.CredentialSpecConfig{File: "somefile.json"},
+			out:  &swarm.CredentialSpec{File: "somefile.json"},
+		},
+		{
+			name: "registry",
+			in:   composetypes.CredentialSpecConfig{Registry: "testing"},
+			out:  &swarm.CredentialSpec{Registry: "testing"},
+		},
+	}

-	swarmSpec, err = convertCredentialSpec(composetypes.CredentialSpecConfig{
-		File: "/foo",
-	})
-	assert.NilError(t, err)
-	assert.Check(t, is.Equal(swarmSpec.File, "/foo"))
-	assert.Check(t, is.Equal(swarmSpec.Registry, ""))
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			namespace := NewNamespace(tc.name)
+			swarmSpec, err := convertCredentialSpec(namespace, tc.in, tc.configs)

-	swarmSpec, err = convertCredentialSpec(composetypes.CredentialSpecConfig{
-		Registry: "foo",
-	})
-	assert.NilError(t, err)
-	assert.Check(t, is.Equal(swarmSpec.File, ""))
-	assert.Check(t, is.Equal(swarmSpec.Registry, "foo"))
-
-	swarmSpec, err = convertCredentialSpec(composetypes.CredentialSpecConfig{
-		File:     "/asdf",
-		Registry: "foo",
-	})
-	assert.Check(t, is.ErrorContains(err, ""))
-	assert.Check(t, is.Nil(swarmSpec))
+			if tc.expectedErr != "" {
+				assert.Error(t, err, tc.expectedErr)
+			} else {
+				assert.NilError(t, err)
+			}
+			assert.DeepEqual(t, swarmSpec, tc.out)
+		})
+	}
 }

 func TestConvertUpdateConfigOrder(t *testing.T) {
@ -467,9 +535,14 @@ func TestConvertServiceSecrets(t *testing.T) {

 func TestConvertServiceConfigs(t *testing.T) {
 	namespace := Namespace{name: "foo"}
-	configs := []composetypes.ServiceConfigObjConfig{
-		{Source: "foo_config"},
-		{Source: "bar_config"},
+	service := composetypes.ServiceConfig{
+		Configs: []composetypes.ServiceConfigObjConfig{
+			{Source: "foo_config"},
+			{Source: "bar_config"},
+		},
+		CredentialSpec: composetypes.CredentialSpecConfig{
+			Config: "baz_config",
+		},
 	}
 	configSpecs := map[string]composetypes.ConfigObjConfig{
 		"foo_config": {
@ -478,18 +551,23 @@ func TestConvertServiceConfigs(t *testing.T) {
 		"bar_config": {
 			Name: "bar_config",
 		},
+		"baz_config": {
+			Name: "baz_config",
+		},
 	}
 	client := &fakeClient{
 		configListFunc: func(opts types.ConfigListOptions) ([]swarm.Config, error) {
 			assert.Check(t, is.Contains(opts.Filters.Get("name"), "foo_config"))
 			assert.Check(t, is.Contains(opts.Filters.Get("name"), "bar_config"))
+			assert.Check(t, is.Contains(opts.Filters.Get("name"), "baz_config"))
 			return []swarm.Config{
 				{Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "foo_config"}}},
 				{Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "bar_config"}}},
+				{Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "baz_config"}}},
 			}, nil
 		},
 	}
-	refs, err := convertServiceConfigObjs(client, namespace, configs, configSpecs)
+	refs, err := convertServiceConfigObjs(client, namespace, service, configSpecs)
 	assert.NilError(t, err)
 	expected := []*swarm.ConfigReference{
 		{
@ -501,6 +579,10 @@ func TestConvertServiceConfigs(t *testing.T) {
 				Mode: 0444,
 			},
 		},
+		{
+			ConfigName: "baz_config",
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		},
 		{
 			ConfigName: "foo_config",
 			File: &swarm.ConfigReferenceFileTarget{
--- a/cli/compose/loader/loader.go
+++ b/cli/compose/loader/loader.go
@ -634,7 +634,8 @@ func LoadConfigObjs(source map[string]interface{}, details types.ConfigDetails)

 func loadFileObjectConfig(name string, objType string, obj types.FileObjectConfig, details types.ConfigDetails) (types.FileObjectConfig, error) {
 	// if "external: true"
-	if obj.External.External {
+	switch {
+	case obj.External.External:
 		// handle deprecated external.name
 		if obj.External.Name != "" {
 			if obj.Name != "" {
@ -651,7 +652,11 @@ func loadFileObjectConfig(name string, objType string, obj types.FileObjectConfi
 			}
 		}
 		// if not "external: true"
-	} else {
+	case obj.Driver != "":
+		if obj.File != "" {
+			return obj, errors.Errorf("%[1]s %[2]s: %[1]s.driver and %[1]s.file conflict; only use %[1]s.driver", objType, name)
+		}
+	default:
 		obj.File = absPath(details.WorkingDir, obj.File)
 	}

--- a/cli/compose/loader/loader_test.go
+++ b/cli/compose/loader/loader_test.go
@ -295,6 +295,20 @@ configs:
 	assert.Assert(t, is.Len(actual.Configs, 1))
 }

+func TestLoadV38(t *testing.T) {
+	actual, err := loadYAML(`
+version: "3.8"
+services:
+  foo:
+    image: busybox
+    credential_spec:
+      config: "0bt9dmxjvjiqermk6xrop3ekq"
+`)
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(actual.Services, 1))
+	assert.Check(t, is.Equal(actual.Services[0].CredentialSpec.Config, "0bt9dmxjvjiqermk6xrop3ekq"))
+}
+
 func TestParseAndLoad(t *testing.T) {
 	actual, err := loadYAML(sampleYAML)
 	assert.NilError(t, err)
@ -1586,3 +1600,67 @@ secrets:
 	}
 	assert.DeepEqual(t, config, expected, cmpopts.EquateEmpty())
 }
+
+func TestLoadSecretDriver(t *testing.T) {
+	config, err := loadYAML(`
+version: '3.8'
+services:
+  hello-world:
+    image: redis:alpine
+    secrets:
+      - secret
+    configs:
+      - config
+
+configs:
+  config:
+    name: config
+    external: true
+
+secrets:
+  secret:
+    name: secret
+    driver: secret-bucket
+    driver_opts:
+      OptionA: value for driver option A
+      OptionB: value for driver option B
+`)
+	assert.NilError(t, err)
+	expected := &types.Config{
+		Filename: "filename.yml",
+		Version:  "3.8",
+		Services: types.Services{
+			{
+				Name:  "hello-world",
+				Image: "redis:alpine",
+				Configs: []types.ServiceConfigObjConfig{
+					{
+						Source: "config",
+					},
+				},
+				Secrets: []types.ServiceSecretConfig{
+					{
+						Source: "secret",
+					},
+				},
+			},
+		},
+		Configs: map[string]types.ConfigObjConfig{
+			"config": {
+				Name:     "config",
+				External: types.External{External: true},
+			},
+		},
+		Secrets: map[string]types.SecretConfig{
+			"secret": {
+				Name:   "secret",
+				Driver: "secret-bucket",
+				DriverOpts: map[string]string{
+					"OptionA": "value for driver option A",
+					"OptionB": "value for driver option B",
+				},
+			},
+		},
+	}
+	assert.DeepEqual(t, config, expected, cmpopts.EquateEmpty())
+}
--- a/cli/compose/schema/bindata.go
+++ b/cli/compose/schema/bindata.go
@ -510,45 +510,45 @@ bnBpPlHfjORjkTRf1wyAwiYqMXd9/G6313QfoXs6/sbZ66r6e179PwAA//8ZL3SpvkUAAA==

 	"/data/config_schema_v3.8.json": {
 		local:   "data/config_schema_v3.8.json",
-		size:    18006,
+		size:    18246,
 		modtime: 1518458244,
 		compressed: `
 H4sIAAAAAAAC/+xcS4/juBG++1cI2r1tPwbIIkjmlmNOyTkNj0BTZZvbFMktUp72DvzfAz1bokiRtuXu
-3qQHGEy3VHwU68GvHpofqyRJf9Z0DwVJvybp3hj19fHxNy3FffP0QeLuMUeyNfdffn1snv2U3lXjWF4N
-oVJs2S5r3mSHvzz87aEa3pCYo4KKSG5+A2qaZwi/lwyhGvyUHgA1kyJd362qdwqlAjQMdPo1qTaXJD1J
-92AwrTbIxC6tH5/qGZIk1YAHRgcz9Fv96fF1/see7M6edbDZ+rkixgCKf0/3Vr/+9kTu//jH/X++3P/9
-Ibtf//Lz6HV1vgjbZvkctkwww6To1097ylP706lfmOR5TUz4aO0t4RrGPAsw3yU+h3juyd6J53Z9B89j
-dg6Sl0VQgh3VOzHTLL+M/DRQBBNW2Ybq3TS2Wn4ZhhuvEWK4o3onhpvlr2N41THt3mP67eW++vdUzzk7
-XzPLYH81EyOf5zpOl8/xn2d/oJ6TzEFxeax37j6zhqAAYdL+mJIk3ZSM5/apSwH/qqZ4GjxMkh+2ex/M
-U78f/eZXiv69h5f+PZXCwIupmZpfujkCSZ8Bt4xD7AiCjaZ7jowzbTKJWc6ocY7nZAP8qhkooXvItiiL
-4CzbrOFEOyfqPHgk54bgDqJPVu+LTLM/Ruf6lDJhYAeY3vVj1ydr7GSysGHaNl39Wa8cE6aUqIzk+YgJ
-gkiO1Y6YgUK7+UvSUrDfS/hnS2KwBHveHKVafuIdylJlimBlhfNnn1JZFEQsZZrn8BFx8pNLYmTv7RrD
-V/1qo215uEkitNLhLgLuJuxwKk2XJdJY/3GuHSVJWrI8nnh3DnEh8/G+RVlsANPThHhipKPf1yvXG0v6
-hjABmAlSQFCPEXIQhhGeaQXUpzMOoc2JK4108ynCjmmDRyftyuOp4rzUkMscFIhcZ004dL4fT3PoY6NF
-fU4u5u6nZprqhqr2lloDMw0E6f7C8bIgTMRoCAiDRyVZ4xM/nLMDcch6bTv7GEAcGEpRdB4/DicMxr8o
-qeF6T9vf2i3jd72DWFsWs5VYkGqz3dpeK5lq3vAAhzxU+JrwjDPxvLyKw4tBku2lNpdAsXQPhJs93QN9
-nhk+pBqNltrEKDkryC5MJNj4LtlIyYGIMZGiwXm05MS0uZk5wosBbLqoKAfTyt2uIvXp7yQgigwlcmQH
-wFi8K9VrHOe69ENAIxj4jki/PTRx74yN1j9xPgXYrvvcfmJfibGX26tUCkIrpI2gdUij2jgkm8CRV9oJ
-sY71+xeFR+eHpVGiC+YugiDXB2TjtSwO1HZi54xo0NfFmQMvdPg1UidcY/86O9Yz1DtnfFQZmGqInjl3
-bmQdxtO3DHrVOCYY+4raQwwNTEk0bxKmvfqpV/jQLD6N3GxxRw26Tbg346Xigr0uB+IeoMoNZ3oP+Tlj
-UBpJJY8zDGdWK94YZkK/i5CeQnZgHHYWxy4Yg0DyTAp+jKDUhmAwYaKBlsjMMZPKLI4x3RmwV63vE2Dj
-DVm1g88syf9PlkQfNTWXYWttciYyqUAEbUMbqbIdEgqZAmTSeRQjB5uX2IQGk2k02wnCQ2ZmCrW9MKVg
-TNjYS84K5jcaZ5ooiNcarOaGaDPwLMplz0QI8wFCRGSwJ3jG1VEb5tZzP60iMdC4C6Ce767dyNpJfxb0
-srex9qIft1GVOhjE1TRCZxFXu6Oc/efw0CMZ1eTri/x4u1Kk77y1149GBOMSoWbagKDH+IU2bFJXOTfu
-iou6aiqy86di3LFJtK22nQ5vwoqQVCqPaK5ko79Sbs9Fh+H8wantOWfi2IIJVpRF+jX54otY40/mxtDe
-ygHNAHqf7/0u8bm62XOGc7p8mu/9GPdVnNmcYqVq5zoqhqTBLpX57o5Q5wXTZGMVo5x5W2EAD26AFUZo
-CAaZVR/qsOsQYoH+mFUUwwqQpbkUnhI05wNcu4dt0CjT1WPmVGhAaWvQU69CXdolqCYxeAREXtfBosAL
-guKMEh0CiFck+VFyviH0OWsbrhaq3SqChHPgTBcx6DbNgZPjRZrTFLQI4yVCRmhESaSVlWBG4uVLFuQl
-65atSQJ229gp5uBbE0R9z9j4srGM+y1DbZo0hFTtb2P3v2Cpu1Q5MfCpEp8qMczQ1bGBXkodnEmAZXoK
-VRlbr0gLKGS4c+TalP+kYUVXMMFXgPwoB+Cg3oEAZDQbaYPnypnS3qiKcr1mN9hDctaEmEuoN5Wi2UeM
-57nS1VV+pwLihTI6yrV+ZyKX38+HWQuctuKEggXNrj1obZAwYc7uVbCPRSFsAUFQmDXLac5oJm+0XEJe
-IZD8HUpGLm3rgGkF2DNhI1lXRvIStbniGweno5qLBKYDJiHlWO4Oefvl7JdvFVtSBAP9yq4eypAOzetP
-+txmw4IuPj0QXkZUTy7qN/FlHSIGn5yfXIVk2pEtENrF9H9FNSC1VJlUy1dAwk1G63D+nSlSLOWbo1uy
-Umeo8RG8brkRngT3jb3ucldu15vpkepTn8q6689qHS1ir2Est/86q2aXLV3pN2IMofuoTN2ZCZM3SHxO
-Ev1Ol9ZSfXq0Mzzan13/P56utl+jBr94rKnCH5BeoaER34h8APkvIdZRBaBQnBjIZuzzDbRgcmc7taCl
-+tSC/1EtsJqBBtowLUrNCSi6Y3k1rEH127DJHP9jhS9+827KV0K1Fm1lM8/5grfiwy8zOHnuy4IbAcwF
-2jDdMrVSO6u+6dL+4N7verrxk8/vKz7FcVI0/TFuvGk+nV+Pzsciab76GcCQdVTY7/oo32776T6O93Qi
-jmPjVfX3tPpvAAAA//+mJNa5VkYAAA==
+3qQDBDstFR/15FfFkn+skiT9WdM9FCT9mqR7Y9TXx8fftBT3zdMHibvHHMnW3H/59bF59lN6V41jeTWE
+SrFlu6x5kx3+8vC3h2p4Q2KOCioiufkNqGmeIfxeMoRq8FN6ANRMinR9t6reKZQK0DDQ6dek2lyS9CTd
+g8G02iATu7R+fKpnSJJUAx4YHczQb/Wnx9f5H3uyO3vWwWbr54oYAyj+Pd1b/frbE7n/4x/3//ly//eH
+7H79y8+j15V8EbbN8jlsmWCGSdGvn/aUp/Zfp35hkuc1MeGjtbeEaxjzLMB8l/gc4rkneyee2/UdPI/Z
+OUheFkENdlTvxEyz/DL600ARTNhkG6p3s9hq+WUYbqJGiOGO6p0Ybpa/juFVx7R7j+m3l/vqv6d6ztn5
+mlkG+6uZGMU8lzhdMccvz16gHknmoLg81jt3y6whKECYtBdTkqSbkvHclroU8K9qiqfBwyT5YYf3wTz1
+9FffqPo33t46d9TKQy8mJqp+aUbEUj6DLhlHGJHEGws3SMyzrTJJGY5o8Y5npMN8KtmoITuIduiLIKz
+bLOGE+2cqIvgkZwbgjuIlqzeF5lmf4zk+pQyYWAHmN71Y9cna+xksrBj2j5d/W+9ckyYUqIykucjJggi
+OVY7YgYK7eYvSUvBfi/hny2JwRLseXOUavmJdyhLlSmClRfOyz6lsiiIWMo1z+EjQvKTQ2Lk7+0aw1f9
+aqNtebhJIqzSES4C4SYccCpLlyXS2Phxrh8lSVqyPJ54dw5xIfPxvkVZbADT04R44qSjv9cr1xtL+4Yw
+AZgJUkDQjhFyEIYRnmkF1GczDqXNqas1wQjxpJEHQoqwY9rg0Um78sS0uHg2lEcOCkSusyZxOj/ipzn0
+WdSi0SkXcydZM011llV7S62BmQaCdH/heFkQJmJsCYTBo5KsiZ4fLiyCOGS9tZ0tBhAHhlIU3dkQhygG
+41+U1HB9TO7P95bxuz6UrG3PkliQarPd2l4vmVreUIBDHiokTnjGmXhe3sThxSDJ9lKbS0BbugfCzZ7u
+gT7PDB9SjUZLbWKMnBVkFyYSbHzqbKTkQMSYSNHgPFpyYtoqzhzhxVA3XVSVg2nlbleR+ux3kjpFJh05
+sgNgLDKW6jXjc8GDECQJpsgj0m8PTYY846P1vzifQnHXyW8/sY/E2MPtVSsFoRUmR9A6ZFFtxpJNgMsr
+7YRYx8b9ixKp8xPYKNUFqxxBOOyDvPFWFgd/O7VzRjTo6zLSQRQ6/BppE66xf50d6xnqnTM+/wxMNcTZ
+nDs3sg4j71umx2qcPYxjRR0hhg6mJJo3Sehe49QrfGgWn+Z4trqjBt0mMZyJUnFpYVctcQ9Q5YYzvYf8
+nDEojaSSxzmGs/4V7wwzSeJFSE8hOzAOO4tjF4xBIHkmBT9GUGpDMFha0UBLZOaYSWUWx5juWtmr1fel
+svGGrFuGz3rK/089RR81NZdha21yJjKpQAR9Qxupsh0SCpkCZNIpilGAzUtsUoPJNJrtBOEhNzOF2l5Y
+UjAm7OwlZwXzO42zoBTEaw1Wc0O0GXgWFbJnMoT5BCEiM9gTPOPoqB1z6zmfVpEYaNwvUM93125k7aQ/
+C3rZ21h70Y/bqUodTOJqGqGziKPdcfH954jQIx3V5OuL4ni7UmTsvHXUj0YE44KxZtqAoMf4hTZscgNz
+bt4Vl3XVVGTnL8W4c5NoX217It6EFSGpVB7VXMlGf6TcnosOw/mTUztyzuSxBROsKIv0a/LFl7HGS+bG
+0N6qAc0Ael/s/S7xuTrZc4Zztnya7xIZd2Cc2cZilWrnei+GpMF+lvk+kFCPBtNkY11GOeu2wgAe3AAr
+jNAQDDLrfqjDrkOIBfpj3qIYVoAszaXwlKA5H+Da3W6DlpruPmbOhAaUtgU99SbUlV2CZhKDR0Dk9T1Y
+FHhBUJxRokMA8YoiP0rON4Q+Z6/3skvc8iqChHPgTBcx6DbNgZPjRZbTXGgRxkuEjNCIK5FWV4IZiZcv
+WZCXrFu2Jgn4beOnmINvTRD1OWPjy8Yz7rcMtWnKEFK1f43D/4JX3aXKiYFPk/g0iWGFrs4N9FLm4CwC
+LNN9qMrY+4q0gEKGO0euLflPGlZ0BRN8F5AfRQAO6h0IQEazkTV4jpwp7Y1uUa637AZ7SM6aFHOhNqdm
+HzGR58pQV8WdCogXyuio0PqdiVx+Px9mLSBtxQkFC5pdK2htkDBhzu5VsMWiELaAICjMuuW0ZjRTN1qu
+IK8QSP4OV0Yua+uAaQXYM2EjWVdF8hKzueJrCGegmssEpgMmKeVY7w59+/Xs12+VW1IEA/3Krm7LkA3N
+20/63FbDgiE+PRBeRtyeXNRv4qs6RAw+OT/OCum0I1sgtYvp/4pqQGqpMqmWvwEJNxmtw/V3pkixVGyO
+bslKnanGR4i65UZ4Ctw3jrrLHbldb6ZHq099Keuul9U6WsVex1hu/3VVzb62dJXfiDGE7qMqdWcWTN6g
+8Dkp9DtDWkv1GdHOiGh/dvv/eLbafrca/Daypgp/anqFhUZ8I/IB9L+EWv/n3LLKVzkxkM2w8wa2PEEe
+TltuqT5teWlb/iBWYLU0DaxherU2p6DovuvV8Cat34ZN5viFDl8W6t2U7yLYWrTVzTznCwaRh19m0P7c
+9xE3gskLNJO6dWoVqFZ966j9AwP+0NONn/zcQMWnOE6ufn+M24eanwpYj+RjkTTfLg2i9jqqeOH6EQK7
+ean7MQBPP+U4w19V/z+t/hsAAP//Fd/bF0ZHAAA=
 `,
 	},

--- a/cli/compose/schema/data/config_schema_v3.8.json
+++ b/cli/compose/schema/data/config_schema_v3.8.json
@ -125,6 +125,7 @@
        "credential_spec": {
          "type": "object",
          "properties": {
+            "config": {"type": "string"},
            "file": {"type": "string"},
            "registry": {"type": "string"}
          },
@ -538,6 +539,13 @@
          }
        },
        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
        "template_driver": {"type": "string"}
      },
      "patternProperties": {"^x-": {}},
--- a/cli/compose/schema/schema_test.go
+++ b/cli/compose/schema/schema_test.go
@ -92,7 +92,7 @@ func TestValidateCredentialSpecs(t *testing.T) {
 		{version: "3.5", expectedErr: "config"},
 		{version: "3.6", expectedErr: "config"},
 		{version: "3.7", expectedErr: "config"},
-		{version: "3.8", expectedErr: "something"},
+		{version: "3.8"},
 	}

 	for _, tc := range tests {
@ -104,7 +104,7 @@ func TestValidateCredentialSpecs(t *testing.T) {
 					"foo": dict{
 						"image": "busybox",
 						"credential_spec": dict{
-							tc.expectedErr: "foobar",
+							"config": "foobar",
 						},
 					},
 				},
--- a/cli/compose/types/types.go
+++ b/cli/compose/types/types.go
@ -500,8 +500,7 @@ func (e External) MarshalJSON() ([]byte, error) {

 // CredentialSpecConfig for credential spec on Windows
 type CredentialSpecConfig struct {
-	// @TODO Config is not yet in use
-	Config   string `yaml:"-" json:"-"` // Config was added in API v1.40
+	Config   string `yaml:",omitempty" json:"config,omitempty"` // Config was added in API v1.40
 	File     string `yaml:",omitempty" json:"file,omitempty"`
 	Registry string `yaml:",omitempty" json:"registry,omitempty"`
 }
@ -513,6 +512,8 @@ type FileObjectConfig struct {
 	External       External               `yaml:",omitempty" json:"external,omitempty"`
 	Labels         Labels                 `yaml:",omitempty" json:"labels,omitempty"`
 	Extras         map[string]interface{} `yaml:",inline" json:"-"`
+	Driver         string                 `yaml:",omitempty" json:"driver,omitempty"`
+	DriverOpts     map[string]string      `mapstructure:"driver_opts" yaml:"driver_opts,omitempty" json:"driver_opts,omitempty"`
 	TemplateDriver string                 `mapstructure:"template_driver" yaml:"template_driver,omitempty" json:"template_driver,omitempty"`
 }

--- a/cli/config/configfile/file.go
+++ b/cli/config/configfile/file.go
@ -50,6 +50,7 @@ type ConfigFile struct {
 	CurrentContext       string                       `json:"currentContext,omitempty"`
 	CLIPluginsExtraDirs  []string                     `json:"cliPluginsExtraDirs,omitempty"`
 	Plugins              map[string]map[string]string `json:"plugins,omitempty"`
+	Aliases              map[string]string            `json:"aliases,omitempty"`
 }

 // ProxyConfig contains proxy configuration settings
@ -72,6 +73,7 @@ func New(fn string) *ConfigFile {
 		HTTPHeaders: make(map[string]string),
 		Filename:    fn,
 		Plugins:     make(map[string]map[string]string),
+		Aliases:     make(map[string]string),
 	}
 }

--- a/cli/connhelper/commandconn/commandconn.go
+++ b/cli/connhelper/commandconn/commandconn.go
@ -41,7 +41,9 @@ func New(ctx context.Context, cmd string, args ...string) (net.Conn, error) {
 	// we assume that args never contains sensitive information
 	logrus.Debugf("commandconn: starting %s with %v", cmd, args)
 	c.cmd.Env = os.Environ()
+	c.cmd.SysProcAttr = &syscall.SysProcAttr{}
 	setPdeathsig(c.cmd)
+	createSession(c.cmd)
 	c.stdin, err = c.cmd.StdinPipe()
 	if err != nil {
 		return nil, err
--- a/cli/connhelper/commandconn/commandconn_linux.go
+++ b/cli/connhelper/commandconn/commandconn_linux.go
@ -6,7 +6,5 @@ import (
 )

 func setPdeathsig(cmd *exec.Cmd) {
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Pdeathsig: syscall.SIGKILL,
-	}
+	cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
 }
--- a/cli/connhelper/commandconn/commandconn_nolinux.go
+++ b/cli/connhelper/commandconn/commandconn_nolinux.go
--- a/cli/connhelper/commandconn/session_unix.go
+++ b/cli/connhelper/commandconn/session_unix.go
@ -0,0 +1,13 @@
+// +build !windows
+
+package commandconn
+
+import (
+	"os/exec"
+)
+
+func createSession(cmd *exec.Cmd) {
+	// for supporting ssh connection helper with ProxyCommand
+	// https://github.com/docker/cli/issues/1707
+	cmd.SysProcAttr.Setsid = true
+}
--- a/cli/connhelper/commandconn/session_windows.go
+++ b/cli/connhelper/commandconn/session_windows.go
@ -0,0 +1,8 @@
+package commandconn
+
+import (
+	"os/exec"
+)
+
+func createSession(cmd *exec.Cmd) {
+}
--- a/cli/context/docker/load.go
+++ b/cli/context/docker/load.go
@ -31,7 +31,7 @@ type Endpoint struct {
 }

 // WithTLSData loads TLS materials for the endpoint
-func WithTLSData(s store.Store, contextName string, m EndpointMeta) (Endpoint, error) {
+func WithTLSData(s store.Reader, contextName string, m EndpointMeta) (Endpoint, error) {
 	tlsData, err := context.LoadTLSData(s, contextName, DockerEndpoint)
 	if err != nil {
 		return Endpoint{}, err
@ -91,8 +91,8 @@ func (c *Endpoint) tlsConfig() (*tls.Config, error) {
 }

 // ClientOpts returns a slice of Client options to configure an API client with this endpoint
-func (c *Endpoint) ClientOpts() ([]func(*client.Client) error, error) {
-	var result []func(*client.Client) error
+func (c *Endpoint) ClientOpts() ([]client.Opt, error) {
+	var result []client.Opt
 	if c.Host != "" {
 		helper, err := connhelper.GetConnectionHelper(c.Host)
 		if err != nil {
@ -153,7 +153,7 @@ func withHTTPClient(tlsConfig *tls.Config) func(*client.Client) error {
 }

 // EndpointFromContext parses a context docker endpoint metadata into a typed EndpointMeta structure
-func EndpointFromContext(metadata store.ContextMetadata) (EndpointMeta, error) {
+func EndpointFromContext(metadata store.Metadata) (EndpointMeta, error) {
 	ep, ok := metadata.Endpoints[DockerEndpoint]
 	if !ok {
 		return EndpointMeta{}, errors.New("cannot find docker endpoint in context")
--- a/cli/context/kubernetes/endpoint_test.go
+++ b/cli/context/kubernetes/endpoint_test.go
@ -85,15 +85,15 @@ func TestSaveLoadContexts(t *testing.T) {
 	assert.NilError(t, save(store, epDefault, "embed-default-context"))
 	assert.NilError(t, save(store, epContext2, "embed-context2"))

-	rawNoTLSMeta, err := store.GetContextMetadata("raw-notls")
+	rawNoTLSMeta, err := store.GetMetadata("raw-notls")
 	assert.NilError(t, err)
-	rawNoTLSSkipMeta, err := store.GetContextMetadata("raw-notls-skip")
+	rawNoTLSSkipMeta, err := store.GetMetadata("raw-notls-skip")
 	assert.NilError(t, err)
-	rawTLSMeta, err := store.GetContextMetadata("raw-tls")
+	rawTLSMeta, err := store.GetMetadata("raw-tls")
 	assert.NilError(t, err)
-	embededDefaultMeta, err := store.GetContextMetadata("embed-default-context")
+	embededDefaultMeta, err := store.GetMetadata("embed-default-context")
 	assert.NilError(t, err)
-	embededContext2Meta, err := store.GetContextMetadata("embed-context2")
+	embededContext2Meta, err := store.GetMetadata("embed-context2")
 	assert.NilError(t, err)

 	rawNoTLS := EndpointFromContext(rawNoTLSMeta)
@ -104,22 +104,22 @@ func TestSaveLoadContexts(t *testing.T) {

 	rawNoTLSEP, err := rawNoTLS.WithTLSData(store, "raw-notls")
 	assert.NilError(t, err)
-	checkClientConfig(t, store, rawNoTLSEP, "https://test", "test", nil, nil, nil, false)
+	checkClientConfig(t, rawNoTLSEP, "https://test", "test", nil, nil, nil, false)
 	rawNoTLSSkipEP, err := rawNoTLSSkip.WithTLSData(store, "raw-notls-skip")
 	assert.NilError(t, err)
-	checkClientConfig(t, store, rawNoTLSSkipEP, "https://test", "test", nil, nil, nil, true)
+	checkClientConfig(t, rawNoTLSSkipEP, "https://test", "test", nil, nil, nil, true)
 	rawTLSEP, err := rawTLS.WithTLSData(store, "raw-tls")
 	assert.NilError(t, err)
-	checkClientConfig(t, store, rawTLSEP, "https://test", "test", []byte("ca"), []byte("cert"), []byte("key"), true)
+	checkClientConfig(t, rawTLSEP, "https://test", "test", []byte("ca"), []byte("cert"), []byte("key"), true)
 	embededDefaultEP, err := embededDefault.WithTLSData(store, "embed-default-context")
 	assert.NilError(t, err)
-	checkClientConfig(t, store, embededDefaultEP, "https://server1", "namespace1", nil, []byte("cert"), []byte("key"), true)
+	checkClientConfig(t, embededDefaultEP, "https://server1", "namespace1", nil, []byte("cert"), []byte("key"), true)
 	embededContext2EP, err := embededContext2.WithTLSData(store, "embed-context2")
 	assert.NilError(t, err)
-	checkClientConfig(t, store, embededContext2EP, "https://server2", "namespace-override", []byte("ca"), []byte("cert"), []byte("key"), false)
+	checkClientConfig(t, embededContext2EP, "https://server2", "namespace-override", []byte("ca"), []byte("cert"), []byte("key"), false)
 }

-func checkClientConfig(t *testing.T, s store.Store, ep Endpoint, server, namespace string, ca, cert, key []byte, skipTLSVerify bool) {
+func checkClientConfig(t *testing.T, ep Endpoint, server, namespace string, ca, cert, key []byte, skipTLSVerify bool) {
 	config := ep.KubernetesConfig()
 	cfg, err := config.ClientConfig()
 	assert.NilError(t, err)
@ -132,17 +132,17 @@ func checkClientConfig(t *testing.T, s store.Store, ep Endpoint, server, namespa
 	assert.Equal(t, skipTLSVerify, cfg.Insecure)
 }

-func save(s store.Store, ep Endpoint, name string) error {
-	meta := store.ContextMetadata{
+func save(s store.Writer, ep Endpoint, name string) error {
+	meta := store.Metadata{
 		Endpoints: map[string]interface{}{
 			KubernetesEndpoint: ep.EndpointMeta,
 		},
 		Name: name,
 	}
-	if err := s.CreateOrUpdateContext(meta); err != nil {
+	if err := s.CreateOrUpdate(meta); err != nil {
 		return err
 	}
-	return s.ResetContextEndpointTLSMaterial(name, KubernetesEndpoint, ep.TLSData.ToStoreTLSData())
+	return s.ResetEndpointTLSMaterial(name, KubernetesEndpoint, ep.TLSData.ToStoreTLSData())
 }

 func TestSaveLoadGKEConfig(t *testing.T) {
@ -158,7 +158,7 @@ func TestSaveLoadGKEConfig(t *testing.T) {
 	ep, err := FromKubeConfig("testdata/gke-kubeconfig", "", "")
 	assert.NilError(t, err)
 	assert.NilError(t, save(store, ep, "gke-context"))
-	persistedMetadata, err := store.GetContextMetadata("gke-context")
+	persistedMetadata, err := store.GetMetadata("gke-context")
 	assert.NilError(t, err)
 	persistedEPMeta := EndpointFromContext(persistedMetadata)
 	assert.Check(t, persistedEPMeta != nil)
@ -183,7 +183,7 @@ func TestSaveLoadEKSConfig(t *testing.T) {
 	ep, err := FromKubeConfig("testdata/eks-kubeconfig", "", "")
 	assert.NilError(t, err)
 	assert.NilError(t, save(store, ep, "eks-context"))
-	persistedMetadata, err := store.GetContextMetadata("eks-context")
+	persistedMetadata, err := store.GetMetadata("eks-context")
 	assert.NilError(t, err)
 	persistedEPMeta := EndpointFromContext(persistedMetadata)
 	assert.Check(t, persistedEPMeta != nil)
--- a/cli/context/kubernetes/load.go
+++ b/cli/context/kubernetes/load.go
@ -25,7 +25,7 @@ type Endpoint struct {
 }

 // WithTLSData loads TLS materials for the endpoint
-func (c *EndpointMeta) WithTLSData(s store.Store, contextName string) (Endpoint, error) {
+func (c *EndpointMeta) WithTLSData(s store.Reader, contextName string) (Endpoint, error) {
 	tlsData, err := context.LoadTLSData(s, contextName, KubernetesEndpoint)
 	if err != nil {
 		return Endpoint{}, err
@ -62,7 +62,7 @@ func (c *Endpoint) KubernetesConfig() clientcmd.ClientConfig {
 }

 // EndpointFromContext extracts kubernetes endpoint info from current context
-func EndpointFromContext(metadata store.ContextMetadata) *EndpointMeta {
+func EndpointFromContext(metadata store.Metadata) *EndpointMeta {
 	ep, ok := metadata.Endpoints[KubernetesEndpoint]
 	if !ok {
 		return nil
@ -77,8 +77,8 @@ func EndpointFromContext(metadata store.ContextMetadata) *EndpointMeta {
 // ConfigFromContext resolves a kubernetes client config for the specified context.
 // If kubeconfigOverride is specified, use this config file instead of the context defaults.ConfigFromContext
 // if command.ContextDockerHost is specified as the context name, fallsback to the default user's kubeconfig file
-func ConfigFromContext(name string, s store.Store) (clientcmd.ClientConfig, error) {
-	ctxMeta, err := s.GetContextMetadata(name)
+func ConfigFromContext(name string, s store.Reader) (clientcmd.ClientConfig, error) {
+	ctxMeta, err := s.GetMetadata(name)
 	if err != nil {
 		return nil, err
 	}
--- a/cli/context/store/metadata_test.go
+++ b/cli/context/store/metadata_test.go
@ -10,8 +10,8 @@ import (
 	"gotest.tools/assert/cmp"
 )

-func testMetadata(name string) ContextMetadata {
-	return ContextMetadata{
+func testMetadata(name string) Metadata {
+	return Metadata{
 		Endpoints: map[string]interface{}{
 			"ep1": endpoint{Foo: "bar"},
 		},
@ -34,7 +34,7 @@ func TestMetadataCreateGetRemove(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	testee := metadataStore{root: testDir, config: testCfg}
-	expected2 := ContextMetadata{
+	expected2 := Metadata{
 		Endpoints: map[string]interface{}{
 			"ep1": endpoint{Foo: "baz"},
 			"ep2": endpoint{Foo: "bee"},
@ -82,7 +82,7 @@ func TestMetadataList(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	testee := metadataStore{root: testDir, config: testCfg}
-	wholeData := []ContextMetadata{
+	wholeData := []Metadata{
 		testMetadata("context1"),
 		testMetadata("context2"),
 		testMetadata("context3"),
@ -103,7 +103,7 @@ func TestEmptyConfig(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	testee := metadataStore{root: testDir}
-	wholeData := []ContextMetadata{
+	wholeData := []Metadata{
 		testMetadata("context1"),
 		testMetadata("context2"),
 		testMetadata("context3"),
@ -136,7 +136,7 @@ func TestWithEmbedding(t *testing.T) {
 			Val: "Hello",
 		},
 	}
-	assert.NilError(t, testee.createOrUpdate(ContextMetadata{Metadata: testCtxMeta, Name: "test"}))
+	assert.NilError(t, testee.createOrUpdate(Metadata{Metadata: testCtxMeta, Name: "test"}))
 	res, err := testee.get(contextdirOf("test"))
 	assert.NilError(t, err)
 	assert.Equal(t, testCtxMeta, res.Metadata)
--- a/cli/context/store/metadatastore.go
+++ b/cli/context/store/metadatastore.go
@ -26,7 +26,7 @@ func (s *metadataStore) contextDir(id contextdir) string {
 	return filepath.Join(s.root, string(id))
 }

-func (s *metadataStore) createOrUpdate(meta ContextMetadata) error {
+func (s *metadataStore) createOrUpdate(meta Metadata) error {
 	contextDir := s.contextDir(contextdirOf(meta.Name))
 	if err := os.MkdirAll(contextDir, 0755); err != nil {
 		return err
@ -56,26 +56,26 @@ func parseTypedOrMap(payload []byte, getter TypeGetter) (interface{}, error) {
 	return reflect.ValueOf(typed).Elem().Interface(), nil
 }

-func (s *metadataStore) get(id contextdir) (ContextMetadata, error) {
+func (s *metadataStore) get(id contextdir) (Metadata, error) {
 	contextDir := s.contextDir(id)
 	bytes, err := ioutil.ReadFile(filepath.Join(contextDir, metaFile))
 	if err != nil {
-		return ContextMetadata{}, convertContextDoesNotExist(err)
+		return Metadata{}, convertContextDoesNotExist(err)
 	}
 	var untyped untypedContextMetadata
-	r := ContextMetadata{
+	r := Metadata{
 		Endpoints: make(map[string]interface{}),
 	}
 	if err := json.Unmarshal(bytes, &untyped); err != nil {
-		return ContextMetadata{}, err
+		return Metadata{}, err
 	}
 	r.Name = untyped.Name
 	if r.Metadata, err = parseTypedOrMap(untyped.Metadata, s.config.contextType); err != nil {
-		return ContextMetadata{}, err
+		return Metadata{}, err
 	}
 	for k, v := range untyped.Endpoints {
 		if r.Endpoints[k], err = parseTypedOrMap(v, s.config.endpointTypes[k]); err != nil {
-			return ContextMetadata{}, err
+			return Metadata{}, err
 		}
 	}
 	return r, err
@ -86,7 +86,7 @@ func (s *metadataStore) remove(id contextdir) error {
 	return os.RemoveAll(contextDir)
 }

-func (s *metadataStore) list() ([]ContextMetadata, error) {
+func (s *metadataStore) list() ([]Metadata, error) {
 	ctxDirs, err := listRecursivelyMetadataDirs(s.root)
 	if err != nil {
 		if os.IsNotExist(err) {
@ -94,7 +94,7 @@ func (s *metadataStore) list() ([]ContextMetadata, error) {
 		}
 		return nil, err
 	}
-	var res []ContextMetadata
+	var res []Metadata
 	for _, dir := range ctxDirs {
 		c, err := s.get(contextdir(dir))
 		if err != nil {
--- a/cli/context/store/store.go
+++ b/cli/context/store/store.go
@ -18,26 +18,58 @@ import (

 // Store provides a context store for easily remembering endpoints configuration
 type Store interface {
-	ListContexts() ([]ContextMetadata, error)
-	CreateOrUpdateContext(meta ContextMetadata) error
-	RemoveContext(name string) error
-	GetContextMetadata(name string) (ContextMetadata, error)
-	ResetContextTLSMaterial(name string, data *ContextTLSData) error
-	ResetContextEndpointTLSMaterial(contextName string, endpointName string, data *EndpointTLSData) error
-	ListContextTLSFiles(name string) (map[string]EndpointFiles, error)
-	GetContextTLSData(contextName, endpointName, fileName string) ([]byte, error)
-	GetContextStorageInfo(contextName string) ContextStorageInfo
+	Reader
+	Lister
+	Writer
+	StorageInfoProvider
 }

-// ContextMetadata contains metadata about a context and its endpoints
-type ContextMetadata struct {
+// Reader provides read-only (without list) access to context data
+type Reader interface {
+	GetMetadata(name string) (Metadata, error)
+	ListTLSFiles(name string) (map[string]EndpointFiles, error)
+	GetTLSData(contextName, endpointName, fileName string) ([]byte, error)
+}
+
+// Lister provides listing of contexts
+type Lister interface {
+	List() ([]Metadata, error)
+}
+
+// ReaderLister combines Reader and Lister interfaces
+type ReaderLister interface {
+	Reader
+	Lister
+}
+
+// StorageInfoProvider provides more information about storage details of contexts
+type StorageInfoProvider interface {
+	GetStorageInfo(contextName string) StorageInfo
+}
+
+// Writer provides write access to context data
+type Writer interface {
+	CreateOrUpdate(meta Metadata) error
+	Remove(name string) error
+	ResetTLSMaterial(name string, data *ContextTLSData) error
+	ResetEndpointTLSMaterial(contextName string, endpointName string, data *EndpointTLSData) error
+}
+
+// ReaderWriter combines Reader and Writer interfaces
+type ReaderWriter interface {
+	Reader
+	Writer
+}
+
+// Metadata contains metadata about a context and its endpoints
+type Metadata struct {
 	Name      string                 `json:",omitempty"`
 	Metadata  interface{}            `json:",omitempty"`
 	Endpoints map[string]interface{} `json:",omitempty"`
 }

-// ContextStorageInfo contains data about where a given context is stored
-type ContextStorageInfo struct {
+// StorageInfo contains data about where a given context is stored
+type StorageInfo struct {
 	MetadataPath string
 	TLSPath      string
 }
@ -74,15 +106,15 @@ type store struct {
 	tls  *tlsStore
 }

-func (s *store) ListContexts() ([]ContextMetadata, error) {
+func (s *store) List() ([]Metadata, error) {
 	return s.meta.list()
 }

-func (s *store) CreateOrUpdateContext(meta ContextMetadata) error {
+func (s *store) CreateOrUpdate(meta Metadata) error {
 	return s.meta.createOrUpdate(meta)
 }

-func (s *store) RemoveContext(name string) error {
+func (s *store) Remove(name string) error {
 	id := contextdirOf(name)
 	if err := s.meta.remove(id); err != nil {
 		return patchErrContextName(err, name)
@ -90,13 +122,13 @@ func (s *store) RemoveContext(name string) error {
 	return patchErrContextName(s.tls.removeAllContextData(id), name)
 }

-func (s *store) GetContextMetadata(name string) (ContextMetadata, error) {
+func (s *store) GetMetadata(name string) (Metadata, error) {
 	res, err := s.meta.get(contextdirOf(name))
 	patchErrContextName(err, name)
 	return res, err
 }

-func (s *store) ResetContextTLSMaterial(name string, data *ContextTLSData) error {
+func (s *store) ResetTLSMaterial(name string, data *ContextTLSData) error {
 	id := contextdirOf(name)
 	if err := s.tls.removeAllContextData(id); err != nil {
 		return patchErrContextName(err, name)
@ -114,7 +146,7 @@ func (s *store) ResetContextTLSMaterial(name string, data *ContextTLSData) error
 	return nil
 }

-func (s *store) ResetContextEndpointTLSMaterial(contextName string, endpointName string, data *EndpointTLSData) error {
+func (s *store) ResetEndpointTLSMaterial(contextName string, endpointName string, data *EndpointTLSData) error {
 	id := contextdirOf(contextName)
 	if err := s.tls.removeAllEndpointData(id, endpointName); err != nil {
 		return patchErrContextName(err, contextName)
@ -130,19 +162,19 @@ func (s *store) ResetContextEndpointTLSMaterial(contextName string, endpointName
 	return nil
 }

-func (s *store) ListContextTLSFiles(name string) (map[string]EndpointFiles, error) {
+func (s *store) ListTLSFiles(name string) (map[string]EndpointFiles, error) {
 	res, err := s.tls.listContextData(contextdirOf(name))
 	return res, patchErrContextName(err, name)
 }

-func (s *store) GetContextTLSData(contextName, endpointName, fileName string) ([]byte, error) {
+func (s *store) GetTLSData(contextName, endpointName, fileName string) ([]byte, error) {
 	res, err := s.tls.getData(contextdirOf(contextName), endpointName, fileName)
 	return res, patchErrContextName(err, contextName)
 }

-func (s *store) GetContextStorageInfo(contextName string) ContextStorageInfo {
+func (s *store) GetStorageInfo(contextName string) StorageInfo {
 	dir := contextdirOf(contextName)
-	return ContextStorageInfo{
+	return StorageInfo{
 		MetadataPath: s.meta.contextDir(dir),
 		TLSPath:      s.tls.contextDir(dir),
 	}
@ -151,13 +183,13 @@ func (s *store) GetContextStorageInfo(contextName string) ContextStorageInfo {
 // Export exports an existing namespace into an opaque data stream
 // This stream is actually a tarball containing context metadata and TLS materials, but it does
 // not map 1:1 the layout of the context store (don't try to restore it manually without calling store.Import)
-func Export(name string, s Store) io.ReadCloser {
+func Export(name string, s Reader) io.ReadCloser {
 	reader, writer := io.Pipe()
 	go func() {
 		tw := tar.NewWriter(writer)
 		defer tw.Close()
 		defer writer.Close()
-		meta, err := s.GetContextMetadata(name)
+		meta, err := s.GetMetadata(name)
 		if err != nil {
 			writer.CloseWithError(err)
 			return
@ -179,7 +211,7 @@ func Export(name string, s Store) io.ReadCloser {
 			writer.CloseWithError(err)
 			return
 		}
-		tlsFiles, err := s.ListContextTLSFiles(name)
+		tlsFiles, err := s.ListTLSFiles(name)
 		if err != nil {
 			writer.CloseWithError(err)
 			return
@ -204,7 +236,7 @@ func Export(name string, s Store) io.ReadCloser {
 				return
 			}
 			for _, fileName := range endpointFiles {
-				data, err := s.GetContextTLSData(name, endpointName, fileName)
+				data, err := s.GetTLSData(name, endpointName, fileName)
 				if err != nil {
 					writer.CloseWithError(err)
 					return
@ -228,7 +260,7 @@ func Export(name string, s Store) io.ReadCloser {
 }

 // Import imports an exported context into a store
-func Import(name string, s Store, reader io.Reader) error {
+func Import(name string, s Writer, reader io.Reader) error {
 	tr := tar.NewReader(reader)
 	tlsData := ContextTLSData{
 		Endpoints: map[string]EndpointTLSData{},
@ -250,12 +282,12 @@ func Import(name string, s Store, reader io.Reader) error {
 			if err != nil {
 				return err
 			}
-			var meta ContextMetadata
+			var meta Metadata
 			if err := json.Unmarshal(data, &meta); err != nil {
 				return err
 			}
 			meta.Name = name
-			if err := s.CreateOrUpdateContext(meta); err != nil {
+			if err := s.CreateOrUpdate(meta); err != nil {
 				return err
 			}
 		} else if strings.HasPrefix(hdr.Name, "tls/") {
@ -278,7 +310,7 @@ func Import(name string, s Store, reader io.Reader) error {
 			tlsData.Endpoints[endpointName].Files[fileName] = data
 		}
 	}
-	return s.ResetContextTLSMaterial(name, &tlsData)
+	return s.ResetTLSMaterial(name, &tlsData)
 }

 type setContextName interface {
--- a/cli/context/store/store_test.go
+++ b/cli/context/store/store_test.go
@ -27,8 +27,8 @@ func TestExportImport(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	s := New(testDir, testCfg)
-	err = s.CreateOrUpdateContext(
-		ContextMetadata{
+	err = s.CreateOrUpdate(
+		Metadata{
 			Endpoints: map[string]interface{}{
 				"ep1": endpoint{Foo: "bar"},
 			},
@ -40,7 +40,7 @@ func TestExportImport(t *testing.T) {
 	rand.Read(file1)
 	file2 := make([]byte, 3700)
 	rand.Read(file2)
-	err = s.ResetContextEndpointTLSMaterial("source", "ep1", &EndpointTLSData{
+	err = s.ResetEndpointTLSMaterial("source", "ep1", &EndpointTLSData{
 		Files: map[string][]byte{
 			"file1": file1,
 			"file2": file2,
@ -51,30 +51,30 @@ func TestExportImport(t *testing.T) {
 	defer r.Close()
 	err = Import("dest", s, r)
 	assert.NilError(t, err)
-	srcMeta, err := s.GetContextMetadata("source")
+	srcMeta, err := s.GetMetadata("source")
 	assert.NilError(t, err)
-	destMeta, err := s.GetContextMetadata("dest")
+	destMeta, err := s.GetMetadata("dest")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, destMeta.Metadata, srcMeta.Metadata)
 	assert.DeepEqual(t, destMeta.Endpoints, srcMeta.Endpoints)
-	srcFileList, err := s.ListContextTLSFiles("source")
+	srcFileList, err := s.ListTLSFiles("source")
 	assert.NilError(t, err)
-	destFileList, err := s.ListContextTLSFiles("dest")
+	destFileList, err := s.ListTLSFiles("dest")
 	assert.NilError(t, err)
 	assert.Equal(t, 1, len(destFileList))
 	assert.Equal(t, 1, len(srcFileList))
 	assert.Equal(t, 2, len(destFileList["ep1"]))
 	assert.Equal(t, 2, len(srcFileList["ep1"]))
-	srcData1, err := s.GetContextTLSData("source", "ep1", "file1")
+	srcData1, err := s.GetTLSData("source", "ep1", "file1")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file1, srcData1)
-	srcData2, err := s.GetContextTLSData("source", "ep1", "file2")
+	srcData2, err := s.GetTLSData("source", "ep1", "file2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file2, srcData2)
-	destData1, err := s.GetContextTLSData("dest", "ep1", "file1")
+	destData1, err := s.GetTLSData("dest", "ep1", "file1")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file1, destData1)
-	destData2, err := s.GetContextTLSData("dest", "ep1", "file2")
+	destData2, err := s.GetTLSData("dest", "ep1", "file2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file2, destData2)
 }
@ -84,8 +84,8 @@ func TestRemove(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	s := New(testDir, testCfg)
-	err = s.CreateOrUpdateContext(
-		ContextMetadata{
+	err = s.CreateOrUpdate(
+		Metadata{
 			Endpoints: map[string]interface{}{
 				"ep1": endpoint{Foo: "bar"},
 			},
@ -93,15 +93,15 @@ func TestRemove(t *testing.T) {
 			Name:     "source",
 		})
 	assert.NilError(t, err)
-	assert.NilError(t, s.ResetContextEndpointTLSMaterial("source", "ep1", &EndpointTLSData{
+	assert.NilError(t, s.ResetEndpointTLSMaterial("source", "ep1", &EndpointTLSData{
 		Files: map[string][]byte{
 			"file1": []byte("test-data"),
 		},
 	}))
-	assert.NilError(t, s.RemoveContext("source"))
-	_, err = s.GetContextMetadata("source")
+	assert.NilError(t, s.Remove("source"))
+	_, err = s.GetMetadata("source")
 	assert.Check(t, IsErrContextDoesNotExist(err))
-	f, err := s.ListContextTLSFiles("source")
+	f, err := s.ListTLSFiles("source")
 	assert.NilError(t, err)
 	assert.Equal(t, 0, len(f))
 }
@ -111,7 +111,7 @@ func TestListEmptyStore(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	store := New(testDir, testCfg)
-	result, err := store.ListContexts()
+	result, err := store.List()
 	assert.NilError(t, err)
 	assert.Check(t, len(result) == 0)
 }
@ -121,7 +121,7 @@ func TestErrHasCorrectContext(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	store := New(testDir, testCfg)
-	_, err = store.GetContextMetadata("no-exists")
+	_, err = store.GetMetadata("no-exists")
 	assert.ErrorContains(t, err, "no-exists")
 	assert.Check(t, IsErrContextDoesNotExist(err))
 }
--- a/cli/context/tlsdata.go
+++ b/cli/context/tlsdata.go
@ -42,15 +42,15 @@ func (data *TLSData) ToStoreTLSData() *store.EndpointTLSData {
 }

 // LoadTLSData loads TLS data from the store
-func LoadTLSData(s store.Store, contextName, endpointName string) (*TLSData, error) {
-	tlsFiles, err := s.ListContextTLSFiles(contextName)
+func LoadTLSData(s store.Reader, contextName, endpointName string) (*TLSData, error) {
+	tlsFiles, err := s.ListTLSFiles(contextName)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to retrieve context tls files for context %q", contextName)
 	}
 	if epTLSFiles, ok := tlsFiles[endpointName]; ok {
 		var tlsData TLSData
 		for _, f := range epTLSFiles {
-			data, err := s.GetContextTLSData(contextName, endpointName, f)
+			data, err := s.GetTLSData(contextName, endpointName, f)
 			if err != nil {
 				return nil, errors.Wrapf(err, "failed to retrieve context tls data for file %q of context %q", f, contextName)
 			}
--- a/cmd/docker/docker.go
+++ b/cmd/docker/docker.go
@ -1,7 +1,6 @@
 package main

 import (
-	"errors"
 	"fmt"
 	"os"
 	"os/exec"
@ -16,11 +15,16 @@ import (
 	"github.com/docker/cli/cli/version"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )

+var allowedAliases = map[string]struct{}{
+	"builder": {},
+}
+
 func newDockerCommand(dockerCli *command.DockerCli) *cli.TopLevelCommand {
 	var (
 		opts    *cliflags.ClientOptions
@ -204,6 +208,38 @@ func tryPluginRun(dockerCli command.Cli, cmd *cobra.Command, subcommand string)
 	return nil
 }

+func processAliases(dockerCli command.Cli, cmd *cobra.Command, args, osArgs []string) ([]string, []string, error) {
+	aliasMap := dockerCli.ConfigFile().Aliases
+	aliases := make([][2][]string, 0, len(aliasMap))
+
+	for k, v := range aliasMap {
+		if _, ok := allowedAliases[k]; !ok {
+			return args, osArgs, errors.Errorf("Not allowed to alias %q. Allowed aliases: %#v", k, allowedAliases)
+		}
+		if _, _, err := cmd.Find(strings.Split(v, " ")); err == nil {
+			return args, osArgs, errors.Errorf("Not allowed to alias with builtin %q as target", v)
+		}
+		aliases = append(aliases, [2][]string{{k}, {v}})
+	}
+
+	if v, ok := aliasMap["builder"]; ok {
+		aliases = append(aliases,
+			[2][]string{{"build"}, {v, "build"}},
+			[2][]string{{"image", "build"}, {v, "build"}},
+		)
+	}
+	for _, al := range aliases {
+		var didChange bool
+		args, didChange = command.StringSliceReplaceAt(args, al[0], al[1], 0)
+		if didChange {
+			osArgs, _ = command.StringSliceReplaceAt(osArgs, al[0], al[1], -1)
+			break
+		}
+	}
+
+	return args, osArgs, nil
+}
+
 func runDocker(dockerCli *command.DockerCli) error {
 	tcmd := newDockerCommand(dockerCli)

@ -216,6 +252,11 @@ func runDocker(dockerCli *command.DockerCli) error {
 		return err
 	}

+	args, os.Args, err = processAliases(dockerCli, cmd, args, os.Args)
+	if err != nil {
+		return err
+	}
+
 	if len(args) > 0 {
 		if _, _, err := cmd.Find(args); err != nil {
 			err := tryPluginRun(dockerCli, cmd, args[0])
--- a/contrib/completion/bash/docker
+++ b/contrib/completion/bash/docker
@ -2863,7 +2863,6 @@ _docker_image_build() {
 	"

 	local boolean_options="
-		--compress
 		--disable-content-trust=false
 		--force-rm
 		--help
@ -2872,16 +2871,35 @@ _docker_image_build() {
 		--quiet -q
 		--rm
 	"
+
 	if __docker_server_is_experimental ; then
 		options_with_args+="
 			--platform
 		"
 		boolean_options+="
 			--squash
-			--stream
 		"
 	fi

+	if [ "$DOCKER_BUILDKIT" = "1" ] ; then
+		options_with_args+="
+			--output -o
+			--platform
+			--progress
+			--secret
+			--ssh
+		"
+	else
+		boolean_options+="
+			--compress
+		"
+		if __docker_server_is_experimental ; then
+			boolean_options+="
+				--stream
+			"
+		fi
+	fi
+
 	local all_options="$options_with_args $boolean_options"

 	case "$prev" in
@ -2926,6 +2944,10 @@ _docker_image_build() {
 			esac
 			return
 			;;
+		--progress)
+			COMPREPLY=( $( compgen -W "auto plain tty" -- "$cur" ) )
+			return
+			;;
 		--tag|-t)
 			__docker_complete_images --repo --tag
 			return
--- a/dockerfiles/Dockerfile.binary-native
+++ b/dockerfiles/Dockerfile.binary-native
@ -1,4 +1,4 @@
-FROM    golang:1.12.1-alpine
+FROM    golang:1.12.4-alpine

 RUN     apk add -U git bash coreutils gcc musl-dev

--- a/dockerfiles/Dockerfile.cross
+++ b/dockerfiles/Dockerfile.cross
@ -1,4 +1,4 @@
-FROM	dockercore/golang-cross:1.12.1@sha256:8541e3aea7b2cffb7ac310af250e34551abe2ec180c77d5a81ae3d52a47ac779
+FROM	dockercore/golang-cross:1.12.4
 ENV     DISABLE_WARN_OUTSIDE_CONTAINER=1
 WORKDIR /go/src/github.com/docker/cli
 COPY    . .
--- a/dockerfiles/Dockerfile.dev
+++ b/dockerfiles/Dockerfile.dev
@ -1,4 +1,4 @@
-FROM    golang:1.12.1-alpine
+FROM    golang:1.12.4-alpine

 RUN     apk add -U git make bash coreutils ca-certificates curl

@ -16,7 +16,7 @@ RUN     go get -d github.com/mjibson/esc && \
        go build -v -o /usr/bin/esc . && \
        rm -rf /go/src/* /go/pkg/* /go/bin/*

-ARG     GOTESTSUM_VERSION=0.3.2
+ARG     GOTESTSUM_VERSION=0.3.4
 RUN     curl -Ls https://github.com/gotestyourself/gotestsum/releases/download/v${GOTESTSUM_VERSION}/gotestsum_${GOTESTSUM_VERSION}_linux_amd64.tar.gz -o gotestsum.tar.gz && \
        tar -xf gotestsum.tar.gz gotestsum -C /usr/bin && \
        rm gotestsum.tar.gz
--- a/dockerfiles/Dockerfile.e2e
+++ b/dockerfiles/Dockerfile.e2e
@ -1,4 +1,4 @@
-ARG GO_VERSION=1.12.1
+ARG GO_VERSION=1.12.4

 FROM docker/containerd-shim-process:a4d1531 AS containerd-shim-process

@ -24,7 +24,7 @@ ARG NOTARY_VERSION=v0.6.1
 RUN curl -Ls https://github.com/theupdateframework/notary/releases/download/${NOTARY_VERSION}/notary-Linux-amd64 -o /usr/local/bin/notary \
    && chmod +x /usr/local/bin/notary

-ARG GOTESTSUM_VERSION=0.3.2
+ARG GOTESTSUM_VERSION=0.3.4
 RUN curl -Ls https://github.com/gotestyourself/gotestsum/releases/download/v${GOTESTSUM_VERSION}/gotestsum_${GOTESTSUM_VERSION}_linux_amd64.tar.gz -o gotestsum.tar.gz \
    && tar -xf gotestsum.tar.gz gotestsum \
    && mv gotestsum /usr/local/bin/gotestsum \
--- a/dockerfiles/Dockerfile.lint
+++ b/dockerfiles/Dockerfile.lint
@ -1,4 +1,4 @@
-FROM    golang:1.12.1-alpine
+FROM    golang:1.12.4-alpine

 RUN     apk add -U git

--- a/docs/reference/commandline/context_create.md
+++ b/docs/reference/commandline/context_create.md
@ -23,7 +23,7 @@ Create a context
 Docker endpoint config:

 NAME                DESCRIPTION
-from-current        Copy current Docker endpoint configuration
+from                Copy Docker endpoint configuration from an existing context
 host                Docker endpoint on which to connect
 ca                  Trust certs signed only by this CA
 cert                Path to TLS certificate file
@ -33,14 +33,16 @@ skip-tls-verify     Skip TLS certificate validation
 Kubernetes endpoint config:

 NAME                 DESCRIPTION
-from-current         Copy current Kubernetes endpoint configuration
+from                 Copy Kubernetes endpoint configuration from an existing context
 config-file          Path to a Kubernetes config file
 context-override     Overrides the context set in the kubernetes config file
 namespace-override   Overrides the namespace set in the kubernetes config file

 Example:

-$ docker context create my-context --description "some description" --docker "host=tcp://myserver:2376,ca=~/ca-file,cert=~/cert-file,key=~/key-file"
+$ docker context create my-context \
+      --description "some description" \
+      --docker "host=tcp://myserver:2376,ca=~/ca-file,cert=~/cert-file,key=~/key-file"

 Options:
      --default-stack-orchestrator string   Default orchestrator for
@ -52,24 +54,68 @@ Options:
                                            (default [])
      --kubernetes stringToString           set the kubernetes endpoint
                                            (default [])
+      --from string                         Create the context from an existing context
 ```

 ## Description

-Creates a new `context`. This will allow you to quickly switch the cli configuration to connect to different clusters or single nodes.
+Creates a new `context`. This allows you to quickly switch the cli
+configuration to connect to different clusters or single nodes.

-To create a `context` out of an existing `DOCKER_HOST` based script, you can use the `from-current` config key:
+To create a context from scratch provide the docker and, if required,
+kubernetes options. The example below creates the context `my-context`
+with a docker endpoint of `/var/run/docker.sock` and a kubernetes configuration
+sourced from the file `/home/me/my-kube-config`:
+
+```bash
+$ docker context create my-context \
+      --docker host=/var/run/docker.sock \
+      --kubernetes config-file=/home/me/my-kube-config
+```
+
+Use the `--from=<context-name>` option to create a new context from
+an existing context. The example below creates a new context named `my-context`
+from the existing context `existing-context`:
+
+```bash
+$ docker context create my-context --from existing-context
+```
+
+If the `--from` option is not set, the `context` is created from the current context:
+
+```bash
+$ docker context create my-context
+```
+
+This can be used to create a context out of an existing `DOCKER_HOST` based script:

 ```bash
 $ source my-setup-script.sh
-$ docker context create my-context --docker "from-current=true"
+$ docker context create my-context
 ```

-Similarly, to reference the currently active Kubernetes configuration, you can use `--kubernetes "from-current=true"`:
+To source only the `docker` endpoint configuration from an existing context
+use the `--docker from=<context-name>` option. The example below creates a
+new context named `my-context` using the docker endpoint configuration from
+the existing context `existing-context` and a kubernetes configuration sourced
+from the file `/home/me/my-kube-config`:

 ```bash
-$ export KUBECONFIG=/path/to/my/kubeconfig
-$ docker context create my-context --kubernetes "from-current=true" --docker "host=/var/run/docker.sock"
+$ docker context create my-context \
+      --docker from=existing-context \
+      --kubernetes config-file=/home/me/my-kube-config
 ```

-Docker and Kubernetes endpoints configurations, as well as default stack orchestrator and description can be modified with `docker context update`
+To source only the `kubernetes` configuration from an existing context use the
+`--kubernetes from=<context-name>` option. The example below creates a new
+context named `my-context` using the kuberentes configuration from the existing
+context `existing-context` and a docker endpoint of `/var/run/docker.sock`:
+
+```bash
+$ docker context create my-context \
+      --docker host=/var/run/docker.sock \
+      --kubernetes from=existing-context
+```
+
+Docker and Kubernetes endpoints configurations, as well as default stack
+orchestrator and description can be modified with `docker context update`
--- a/docs/reference/commandline/context_update.md
+++ b/docs/reference/commandline/context_update.md
@ -23,7 +23,7 @@ Update a context
 Docker endpoint config:

 NAME                DESCRIPTION
-from-current        Copy current Docker endpoint configuration
+from                Copy Docker endpoint configuration from an existing context
 host                Docker endpoint on which to connect
 ca                  Trust certs signed only by this CA
 cert                Path to TLS certificate file
@ -33,7 +33,7 @@ skip-tls-verify     Skip TLS certificate validation
 Kubernetes endpoint config:

 NAME                 DESCRIPTION
-from-current         Copy current Kubernetes endpoint configuration
+from                 Copy Kubernetes endpoint configuration from an existing context
 config-file          Path to a Kubernetes config file
 context-override     Overrides the context set in the kubernetes config file
 namespace-override   Overrides the namespace set in the kubernetes config file
--- a/internal/test/cli.go
+++ b/internal/test/cli.go
@ -233,7 +233,7 @@ func (c *FakeCli) StackOrchestrator(flagValue string) (command.Orchestrator, err
 	}
 	ctxOrchestrator := ""
 	if c.currentContext != "" && c.contextStore != nil {
-		meta, err := c.contextStore.GetContextMetadata(c.currentContext)
+		meta, err := c.contextStore.GetMetadata(c.currentContext)
 		if err != nil {
 			return "", err
 		}
--- a/vendor.conf
+++ b/vendor.conf
@ -1,104 +1,102 @@
-cloud.google.com/go 0ebda48a7f143b1cce9eb37a8c1106ac762a3430 # v0.34.0
-github.com/agl/ed25519 5312a61534124124185d41f09206b9fef1d88403
-github.com/asaskevich/govalidator f9ffefc3facfbe0caee3fea233cbb6e8208f4541
-github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109
-github.com/beorn7/perks 3a771d992973f24aa725d07868b467d1ddfceafb
-github.com/containerd/console c12b1e7919c14469339a5d38f2f8ed9b64a9de23
-github.com/containerd/containerd ceba56893a76f22cf0126c46d835c80fb3833408
-github.com/containerd/continuity bd77b46c8352f74eb12c85bdc01f4b90f69d66b4
-github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
-github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
-github.com/coreos/etcd v3.3.9
-github.com/cpuguy83/go-md2man v1.0.8
-github.com/davecgh/go-spew 346938d642f2ec3594ed81d874461961cd0faa76 # v1.1.0
-github.com/dgrijalva/jwt-go a2c85815a77d0f951e33ba4db5ae93629a1530af
-github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580
-github.com/docker/docker dbe4a30928d418e0570891a09703bcbc0e4997a1
-github.com/docker/compose-on-kubernetes v0.4.21
-github.com/docker/docker-credential-helpers 5241b46610f2491efdf9d1c85f1ddf5b02f6d962
-# the docker/go package contains a customized version of canonical/json
-# and is used by Notary. The package is periodically rebased on current Go versions.
-github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06
-github.com/docker/go-connections 7395e3f8aa162843a74ed6d48e79627d9792ac55 # v0.4.0
-github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
-github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18
-github.com/docker/go-units 47565b4f722fb6ceae66b95f853feed578a4a51c # v0.3.3
-github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a
-github.com/docker/licensing 9781369abdb5281cdc07a2a446c6df01347ec793
-github.com/docker/swarmkit 18e7e58ea1a5ec016625a636d0d52500eea123bc
-github.com/evanphx/json-patch v4.1.0
-github.com/flynn-archive/go-shlex 3f9db97f856818214da2e1057f8ad84803971cff
-github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef
-github.com/gogo/protobuf v1.2.0
-github.com/golang/glog 23def4e6c14b4da8ac2ed8007337bc5eb5007998
-github.com/golang/protobuf v1.2.0
-github.com/google/go-cmp v0.2.0
-github.com/google/gofuzz 24818f796faf91cd76ec7bddd72458fbced7a6c1
-github.com/google/shlex 6f45313302b9c56850fc17f99e40caebce98c716
-github.com/google/uuid v1.1.1
-github.com/googleapis/gnostic 7c663266750e7d82587642f65e60bc4083f1f84e # v0.2.0
-github.com/gorilla/mux v1.7.0
-github.com/grpc-ecosystem/grpc-gateway 1a03ca3bad1e1ebadaedd3abb76bc58d4ac8143b
-github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746
-github.com/hashicorp/golang-lru 0fb14efe8c47ae851c0034ed7a448854d3d34cf3
-github.com/hashicorp/go-version 23480c0
-github.com/imdario/mergo 7c29201646fa3de8506f701213473dd407f19646 # v0.3.7
-github.com/inconshreveable/mousetrap 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75 # v1.0
-github.com/json-iterator/go 0ff49de124c6f76f8494e194af75bde0f1a49a29 # 1.1.6
-github.com/mattn/go-shellwords a72fbe27a1b0ed0df2f02754945044ce1456608b # v1.0.5
-github.com/matttproud/golang_protobuf_extensions v1.0.1
-github.com/Microsoft/hcsshim ba3d6667710fa905116f39a19d059c4c1016be7c
-github.com/Microsoft/go-winio c599b533b43b1363d7d7c6cfda5ede70ed73ff13
-github.com/miekg/pkcs11 6120d95c0e9576ccf4a78ba40855809dca31a9ed
-github.com/mitchellh/mapstructure f15292f7a699fcc1a38a80977f80a046874ba8ac
-github.com/moby/buildkit 62e5542790fe1d1cf9ca6302d5a8b988df99159a
-github.com/modern-go/concurrent bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94 # 1.0.3
-github.com/modern-go/reflect2 4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd # 1.0.1
-github.com/morikuni/aec 39771216ff4c63d11f5e604076f9c45e8be1067b
-github.com/opencontainers/go-digest v1.0.0-rc1
-github.com/opencontainers/image-spec v1.0.1
-github.com/opencontainers/runc 2b18fe1d885ee5083ef9f0838fee39b62d653e30
-github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
-github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7
-github.com/pkg/errors ba968bfe8b2f7e042a574c888954fccecfa385b4 # v0.8.1
-github.com/prometheus/client_golang c5b7fccd204277076155f10851dad72b76a49317 # v0.8.0
-github.com/prometheus/client_model 6f3806018612930941127f2a7c6c453ba2c527d2
-github.com/prometheus/common 7600349dcfe1abd18d72d3a1770870d9800a7801
-github.com/prometheus/procfs 7d6f385de8bea29190f15ba9931442a0eaef9af7
-github.com/russross/blackfriday 1d6b8e9301e720b08a8938b8c25c018285885438
-github.com/shurcooL/sanitized_anchor_name 10ef21a441db47d8b13ebcc5fd2310f636973c77
-github.com/sirupsen/logrus 8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f # v1.4.1
-github.com/spf13/cobra v0.0.3
-# temporary fork with https://github.com/spf13/pflag/pull/170 applied, which isn't merged yet upstream
-github.com/spf13/pflag 4cb166e4f25ac4e8016a3595bbf7ea2e9aa85a2c https://github.com/thaJeztah/pflag.git
-github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852
-github.com/theupdateframework/notary v0.6.1
-github.com/tonistiigi/fsutil 3bbb99cdbd76619ab717299830c60f6f2a533a6b
-github.com/jaguilar/vt100 ad4c4a5743050fb7f88ce968dca9422f72a0e3f2 git://github.com/tonistiigi/vt100.git
-github.com/gofrs/flock 7f43ea2e6a643ad441fc12d0ecc0d3388b300c53 # v0.7.0
-github.com/tonistiigi/units 6950e57a87eaf136bbe44ef2ec8e75b9e3569de2
-github.com/xeipuuv/gojsonpointer 4e3ac2762d5f479393488629ee9370b50873b3a6
-github.com/xeipuuv/gojsonreference bd5ef7bd5415a7ac448318e64f11a24cd21e594b
-github.com/xeipuuv/gojsonschema 93e72a773fade158921402d6a24c819b48aba29d
-golang.org/x/crypto b7391e95e576cacdcdd422573063bc057239113d
-golang.org/x/net a680a1efc54dd51c040b3b5ce4939ea3cf2ea0d1
-golang.org/x/oauth2 ef147856a6ddbb60760db74283d2424e98c87bff
-golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e
-golang.org/x/sys d455e41777fca6e8a5a79e34a14b8368bc11d9ba
-golang.org/x/text f21a4dfb5e38f5895301dc265a8def02365cc3d0 # v0.3.0
-golang.org/x/time fbb02b2291d28baffd63558aa44b4b56f178d650
-google.golang.org/genproto 02b4e95473316948020af0b7a4f0f22c73929b0e
-google.golang.org/grpc v1.12.0
-gopkg.in/inf.v0 d2d2541c53f18d2a059457998ce2876cc8e67cbf # v0.9.1
-gopkg.in/yaml.v2 5420a8b6744d3b0345ab293f6fcba19c978f1183 # v2.2.1
-gotest.tools v2.2.0
-k8s.io/api kubernetes-1.14.0
-k8s.io/apimachinery kubernetes-1.14.0
-k8s.io/client-go kubernetes-1.14.0
-k8s.io/klog v0.2.0
-k8s.io/kube-openapi 5e45bb682580c9be5ffa4d27d367f0eeba125c7b
-k8s.io/kubernetes v1.14.0
-k8s.io/utils 21c4ce38f2a793ec01e925ddc31216500183b773
-vbom.ml/util 256737ac55c46798123f754ab7d2c784e2c71783
-sigs.k8s.io/yaml v1.1.0
-github.com/konsorten/go-windows-terminal-sequences v1.0.1
+cloud.google.com/go                                 0ebda48a7f143b1cce9eb37a8c1106ac762a3430 # v0.34.0
+github.com/agl/ed25519                              5312a61534124124185d41f09206b9fef1d88403
+github.com/asaskevich/govalidator                   f9ffefc3facfbe0caee3fea233cbb6e8208f4541
+github.com/Azure/go-ansiterm                        d6e3b3328b783f23731bc4d058875b0371ff8109
+github.com/beorn7/perks                             e7f67b54abbeac9c40a31de0f81159e4cafebd6a
+github.com/containerd/console                       c12b1e7919c14469339a5d38f2f8ed9b64a9de23
+github.com/containerd/containerd                    ceba56893a76f22cf0126c46d835c80fb3833408
+github.com/containerd/continuity                    004b46473808b3e7a4a3049c20e4376c91eb966d
+github.com/containerd/fifo                          a9fb20d87448d386e6d50b1f2e1fa70dcf0de43c
+github.com/containerd/typeurl                       2a93cfde8c20b23de8eb84a5adbc234ddf7a9e8d
+github.com/coreos/etcd                              d57e8b8d97adfc4a6c224fe116714bf1a1f3beb9 # v3.3.12
+github.com/cpuguy83/go-md2man                       20f5889cbdc3c73dbd2862796665e7c465ade7d1 # v1.0.8
+github.com/davecgh/go-spew                          8991bc29aa16c548c550c7ff78260e27b9ab7c73 # v1.1.1
+github.com/dgrijalva/jwt-go                         a2c85815a77d0f951e33ba4db5ae93629a1530af
+github.com/docker/compose-on-kubernetes             7a68f5c914c7e06d7a08dc71608f41811c91f0bc # v0.4.21
+github.com/docker/distribution                      0d3efadf0154c2b8a4e7b6621fff9809655cc580
+github.com/docker/docker                            ac48309ac4024b5bfe21a126b1a23a3e93521d75
+github.com/docker/docker-credential-helpers         5241b46610f2491efdf9d1c85f1ddf5b02f6d962
+github.com/docker/go                                d30aec9fd63c35133f8f79c3412ad91a3b08be06 # Contains a customized version of canonical/json and is used by Notary. The package is periodically rebased on current Go versions.
+github.com/docker/go-connections                    7395e3f8aa162843a74ed6d48e79627d9792ac55 # v0.4.0
+github.com/docker/go-events                         9461782956ad83b30282bf90e31fa6a70c255ba9
+github.com/docker/go-metrics                        d466d4f6fd960e01820085bd7e1a24426ee7ef18
+github.com/docker/go-units                          519db1ee28dcc9fd2474ae59fca29a810482bfb1 # v0.4.0
+github.com/docker/libtrust                          9cbd2a1374f46905c68a4eb3694a130610adc62a
+github.com/docker/licensing                         9781369abdb5281cdc07a2a446c6df01347ec793
+github.com/docker/swarmkit                          59163bf75df38489d4a10392265d27156dc473c5
+github.com/evanphx/json-patch                       72bf35d0ff611848c1dc9df0f976c81192392fa5 # v4.1.0
+github.com/gofrs/flock                              7f43ea2e6a643ad441fc12d0ecc0d3388b300c53 # v0.7.0
+github.com/gogo/googleapis                          08a7655d27152912db7aaf4f983275eaf8d128ef
+github.com/gogo/protobuf                            4cbf7e384e768b4e01799441fdf2a706a5635ae7 # v1.2.0
+github.com/golang/glog                              23def4e6c14b4da8ac2ed8007337bc5eb5007998
+github.com/golang/protobuf                          aa810b61a9c79d51363740d207bb46cf8e620ed5 # v1.2.0
+github.com/google/go-cmp                            3af367b6b30c263d47e8895973edcca9a49cf029 # v0.2.0
+github.com/google/gofuzz                            24818f796faf91cd76ec7bddd72458fbced7a6c1
+github.com/google/shlex                             c34317bd91bf98fab745d77b03933cf8769299fe
+github.com/google/uuid                              0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1
+github.com/googleapis/gnostic                       7c663266750e7d82587642f65e60bc4083f1f84e # v0.2.0
+github.com/gorilla/mux                              a7962380ca08b5a188038c69871b8d3fbdf31e89 # v1.7.0
+github.com/grpc-ecosystem/grpc-gateway              1a03ca3bad1e1ebadaedd3abb76bc58d4ac8143b
+github.com/grpc-ecosystem/grpc-opentracing          8e809c8a86450a29b90dcc9efbf062d0fe6d9746
+github.com/hashicorp/go-version                     23480c0665776210b5fbbac6eaaee40e3e6a96b7
+github.com/hashicorp/golang-lru                     0fb14efe8c47ae851c0034ed7a448854d3d34cf3
+github.com/imdario/mergo                            7c29201646fa3de8506f701213473dd407f19646 # v0.3.7
+github.com/inconshreveable/mousetrap                76626ae9c91c4f2a10f34cad8ce83ea42c93bb75 # v1.0.0
+github.com/jaguilar/vt100                           ad4c4a5743050fb7f88ce968dca9422f72a0e3f2 git://github.com/tonistiigi/vt100.git
+github.com/json-iterator/go                         0ff49de124c6f76f8494e194af75bde0f1a49a29 # 1.1.6
+github.com/konsorten/go-windows-terminal-sequences  f55edac94c9bbba5d6182a4be46d86a2c9b5b50e # v1.0.2
+github.com/mattn/go-shellwords                      a72fbe27a1b0ed0df2f02754945044ce1456608b # v1.0.5
+github.com/matttproud/golang_protobuf_extensions    c12348ce28de40eed0136aa2b644d0ee0650e56c # v1.0.1
+github.com/Microsoft/go-winio                       84b4ab48a50763fe7b3abcef38e5205c12027fac
+github.com/Microsoft/hcsshim                        672e52e9209d1e53718c1b6a7d68cc9272654ab5
+github.com/miekg/pkcs11                             6120d95c0e9576ccf4a78ba40855809dca31a9ed
+github.com/mitchellh/mapstructure                   f15292f7a699fcc1a38a80977f80a046874ba8ac
+github.com/moby/buildkit                            8818c67cff663befa7b70f21454e340f71616581
+github.com/modern-go/concurrent                     bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94 # 1.0.3
+github.com/modern-go/reflect2                       4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd # 1.0.1
+github.com/morikuni/aec                             39771216ff4c63d11f5e604076f9c45e8be1067b
+github.com/opencontainers/go-digest                 279bed98673dd5bef374d3b6e4b09e2af76183bf # v1.0.0-rc1
+github.com/opencontainers/image-spec                d60099175f88c47cd379c4738d158884749ed235 # v1.0.1
+github.com/opencontainers/runc                      029124da7af7360afa781a0234d1b083550f797c # v1.0.0-rc7-6-g029124da
+github.com/opencontainers/runtime-spec              29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
+github.com/opentracing/opentracing-go               1361b9cd60be79c4c3a7fa9841b3c132e40066a7
+github.com/pkg/errors                               ba968bfe8b2f7e042a574c888954fccecfa385b4 # v0.8.1
+github.com/prometheus/client_golang                 c5b7fccd204277076155f10851dad72b76a49317 # v0.8.0
+github.com/prometheus/client_model                  6f3806018612930941127f2a7c6c453ba2c527d2
+github.com/prometheus/common                        7600349dcfe1abd18d72d3a1770870d9800a7801
+github.com/prometheus/procfs                        7d6f385de8bea29190f15ba9931442a0eaef9af7
+github.com/russross/blackfriday                     1d6b8e9301e720b08a8938b8c25c018285885438
+github.com/shurcooL/sanitized_anchor_name           10ef21a441db47d8b13ebcc5fd2310f636973c77
+github.com/sirupsen/logrus                          8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f # v1.4.1
+github.com/spf13/cobra                              ef82de70bb3f60c65fb8eebacbb2d122ef517385 # v0.0.3
+github.com/spf13/pflag                              4cb166e4f25ac4e8016a3595bbf7ea2e9aa85a2c https://github.com/thaJeztah/pflag.git # temporary fork with https://github.com/spf13/pflag/pull/170 applied, which isn't merged yet upstream
+github.com/syndtr/gocapability                      d98352740cb2c55f81556b63d4a1ec64c5a319c2
+github.com/theupdateframework/notary                d6e1431feb32348e0650bf7551ac5cffd01d857b # v0.6.1
+github.com/tonistiigi/fsutil                        3bbb99cdbd76619ab717299830c60f6f2a533a6b
+github.com/tonistiigi/units                         6950e57a87eaf136bbe44ef2ec8e75b9e3569de2
+github.com/xeipuuv/gojsonpointer                    4e3ac2762d5f479393488629ee9370b50873b3a6
+github.com/xeipuuv/gojsonreference                  bd5ef7bd5415a7ac448318e64f11a24cd21e594b
+github.com/xeipuuv/gojsonschema                     93e72a773fade158921402d6a24c819b48aba29d
+golang.org/x/crypto                                 38d8ce5564a5b71b2e3a00553993f1b9a7ae852f
+golang.org/x/net                                    eb5bcb51f2a31c7d5141d810b70815c05d9c9146
+golang.org/x/oauth2                                 ef147856a6ddbb60760db74283d2424e98c87bff
+golang.org/x/sync                                   e225da77a7e68af35c70ccbf71af2b83e6acac3c
+golang.org/x/sys                                    4b34438f7a67ee5f45cc6132e2bad873a20324e9
+golang.org/x/text                                   f21a4dfb5e38f5895301dc265a8def02365cc3d0 # v0.3.0
+golang.org/x/time                                   fbb02b2291d28baffd63558aa44b4b56f178d650
+google.golang.org/genproto                          02b4e95473316948020af0b7a4f0f22c73929b0e
+google.golang.org/grpc                              7a6a684ca69eb4cae85ad0a484f2e531598c047b # v1.12.2
+gopkg.in/inf.v0                                     d2d2541c53f18d2a059457998ce2876cc8e67cbf # v0.9.1
+gopkg.in/yaml.v2                                    5420a8b6744d3b0345ab293f6fcba19c978f1183 # v2.2.1
+gotest.tools                                        1083505acf35a0bd8a696b26837e1fb3187a7a83 # v2.3.0
+k8s.io/api                                          40a48860b5abbba9aa891b02b32da429b08d96a0 # kubernetes-1.14.0
+k8s.io/apimachinery                                 d7deff9243b165ee192f5551710ea4285dcfd615 # kubernetes-1.14.0
+k8s.io/client-go                                    6ee68ca5fd8355d024d02f9db0b3b667e8357a0f # kubernetes-1.14.0
+k8s.io/klog                                         71442cd4037d612096940ceb0f3fec3f7fff66e0 # v0.2.0
+k8s.io/kube-openapi                                 5e45bb682580c9be5ffa4d27d367f0eeba125c7b
+k8s.io/kubernetes                                   641856db18352033a0d96dbc99153fa3b27298e5 # v1.14.0
+k8s.io/utils                                        21c4ce38f2a793ec01e925ddc31216500183b773
+sigs.k8s.io/yaml                                    fd68e9863619f6ec2fdd8625fe1f02e7c877e480 # v1.1.0
+vbom.ml/util                                        256737ac55c46798123f754ab7d2c784e2c71783
+
+# DO NOT EDIT BELOW THIS LINE -------- reserved for downstream projects --------
--- a/vendor/github.com/Microsoft/go-winio/pipe.go
+++ b/vendor/github.com/Microsoft/go-winio/pipe.go
@ -3,10 +3,13 @@
 package winio

 import (
+	"context"
 	"errors"
+	"fmt"
 	"io"
 	"net"
 	"os"
+	"runtime"
 	"syscall"
 	"time"
 	"unsafe"
@ -18,6 +21,48 @@ import (
 //sys getNamedPipeInfo(pipe syscall.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) = GetNamedPipeInfo
 //sys getNamedPipeHandleState(pipe syscall.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) = GetNamedPipeHandleStateW
 //sys localAlloc(uFlags uint32, length uint32) (ptr uintptr) = LocalAlloc
+//sys ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntstatus) = ntdll.NtCreateNamedPipeFile
+//sys rtlNtStatusToDosError(status ntstatus) (winerr error) = ntdll.RtlNtStatusToDosErrorNoTeb
+//sys rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntstatus) = ntdll.RtlDosPathNameToNtPathName_U
+//sys rtlDefaultNpAcl(dacl *uintptr) (status ntstatus) = ntdll.RtlDefaultNpAcl
+
+type ioStatusBlock struct {
+	Status, Information uintptr
+}
+
+type objectAttributes struct {
+	Length             uintptr
+	RootDirectory      uintptr
+	ObjectName         *unicodeString
+	Attributes         uintptr
+	SecurityDescriptor *securityDescriptor
+	SecurityQoS        uintptr
+}
+
+type unicodeString struct {
+	Length        uint16
+	MaximumLength uint16
+	Buffer        uintptr
+}
+
+type securityDescriptor struct {
+	Revision byte
+	Sbz1     byte
+	Control  uint16
+	Owner    uintptr
+	Group    uintptr
+	Sacl     uintptr
+	Dacl     uintptr
+}
+
+type ntstatus int32
+
+func (status ntstatus) Err() error {
+	if status >= 0 {
+		return nil
+	}
+	return rtlNtStatusToDosError(status)
+}

 const (
 	cERROR_PIPE_BUSY      = syscall.Errno(231)
@ -25,21 +70,20 @@ const (
 	cERROR_PIPE_CONNECTED = syscall.Errno(535)
 	cERROR_SEM_TIMEOUT    = syscall.Errno(121)

-	cPIPE_ACCESS_DUPLEX            = 0x3
-	cFILE_FLAG_FIRST_PIPE_INSTANCE = 0x80000
-	cSECURITY_SQOS_PRESENT         = 0x100000
-	cSECURITY_ANONYMOUS            = 0
-
-	cPIPE_REJECT_REMOTE_CLIENTS = 0x8
-
-	cPIPE_UNLIMITED_INSTANCES = 255
-
-	cNMPWAIT_USE_DEFAULT_WAIT = 0
-	cNMPWAIT_NOWAIT           = 1
+	cSECURITY_SQOS_PRESENT = 0x100000
+	cSECURITY_ANONYMOUS    = 0

 	cPIPE_TYPE_MESSAGE = 4

 	cPIPE_READMODE_MESSAGE = 2
+
+	cFILE_OPEN   = 1
+	cFILE_CREATE = 2
+
+	cFILE_PIPE_MESSAGE_TYPE          = 1
+	cFILE_PIPE_REJECT_REMOTE_CLIENTS = 2
+
+	cSE_DACL_PRESENT = 4
 )

 var (
@ -137,9 +181,30 @@ func (s pipeAddress) String() string {
 	return string(s)
 }

+// tryDialPipe attempts to dial the pipe at `path` until `ctx` cancellation or timeout.
+func tryDialPipe(ctx context.Context, path *string) (syscall.Handle, error) {
+	for {
+		select {
+		case <-ctx.Done():
+			return syscall.Handle(0), ctx.Err()
+		default:
+			h, err := createFile(*path, syscall.GENERIC_READ|syscall.GENERIC_WRITE, 0, nil, syscall.OPEN_EXISTING, syscall.FILE_FLAG_OVERLAPPED|cSECURITY_SQOS_PRESENT|cSECURITY_ANONYMOUS, 0)
+			if err == nil {
+				return h, nil
+			}
+			if err != cERROR_PIPE_BUSY {
+				return h, &os.PathError{Err: err, Op: "open", Path: *path}
+			}
+			// Wait 10 msec and try again. This is a rather simplistic
+			// view, as we always try each 10 milliseconds.
+			time.Sleep(time.Millisecond * 10)
+		}
+	}
+}
+
 // DialPipe connects to a named pipe by path, timing out if the connection
 // takes longer than the specified duration. If timeout is nil, then we use
-// a default timeout of 5 seconds.  (We do not use WaitNamedPipe.)
+// a default timeout of 2 seconds.  (We do not use WaitNamedPipe.)
 func DialPipe(path string, timeout *time.Duration) (net.Conn, error) {
 	var absTimeout time.Time
 	if timeout != nil {
@ -147,23 +212,22 @@ func DialPipe(path string, timeout *time.Duration) (net.Conn, error) {
 	} else {
 		absTimeout = time.Now().Add(time.Second * 2)
 	}
+	ctx, _ := context.WithDeadline(context.Background(), absTimeout)
+	conn, err := DialPipeContext(ctx, path)
+	if err == context.DeadlineExceeded {
+		return nil, ErrTimeout
+	}
+	return conn, err
+}
+
+// DialPipeContext attempts to connect to a named pipe by `path` until `ctx`
+// cancellation or timeout.
+func DialPipeContext(ctx context.Context, path string) (net.Conn, error) {
 	var err error
 	var h syscall.Handle
-	for {
-		h, err = createFile(path, syscall.GENERIC_READ|syscall.GENERIC_WRITE, 0, nil, syscall.OPEN_EXISTING, syscall.FILE_FLAG_OVERLAPPED|cSECURITY_SQOS_PRESENT|cSECURITY_ANONYMOUS, 0)
-		if err != cERROR_PIPE_BUSY {
-			break
-		}
-		if time.Now().After(absTimeout) {
-			return nil, ErrTimeout
-		}
-
-		// Wait 10 msec and try again. This is a rather simplistic
-		// view, as we always try each 10 milliseconds.
-		time.Sleep(time.Millisecond * 10)
-	}
+	h, err = tryDialPipe(ctx, &path)
 	if err != nil {
-		return nil, &os.PathError{Op: "open", Path: path, Err: err}
+		return nil, err
 	}

 	var flags uint32
@ -194,43 +258,87 @@ type acceptResponse struct {
 }

 type win32PipeListener struct {
-	firstHandle        syscall.Handle
-	path               string
-	securityDescriptor []byte
-	config             PipeConfig
-	acceptCh           chan (chan acceptResponse)
-	closeCh            chan int
-	doneCh             chan int
+	firstHandle syscall.Handle
+	path        string
+	config      PipeConfig
+	acceptCh    chan (chan acceptResponse)
+	closeCh     chan int
+	doneCh      chan int
 }

-func makeServerPipeHandle(path string, securityDescriptor []byte, c *PipeConfig, first bool) (syscall.Handle, error) {
-	var flags uint32 = cPIPE_ACCESS_DUPLEX | syscall.FILE_FLAG_OVERLAPPED
-	if first {
-		flags |= cFILE_FLAG_FIRST_PIPE_INSTANCE
-	}
-
-	var mode uint32 = cPIPE_REJECT_REMOTE_CLIENTS
-	if c.MessageMode {
-		mode |= cPIPE_TYPE_MESSAGE
-	}
-
-	sa := &syscall.SecurityAttributes{}
-	sa.Length = uint32(unsafe.Sizeof(*sa))
-	if securityDescriptor != nil {
-		len := uint32(len(securityDescriptor))
-		sa.SecurityDescriptor = localAlloc(0, len)
-		defer localFree(sa.SecurityDescriptor)
-		copy((*[0xffff]byte)(unsafe.Pointer(sa.SecurityDescriptor))[:], securityDescriptor)
-	}
-	h, err := createNamedPipe(path, flags, mode, cPIPE_UNLIMITED_INSTANCES, uint32(c.OutputBufferSize), uint32(c.InputBufferSize), 0, sa)
+func makeServerPipeHandle(path string, sd []byte, c *PipeConfig, first bool) (syscall.Handle, error) {
+	path16, err := syscall.UTF16FromString(path)
 	if err != nil {
 		return 0, &os.PathError{Op: "open", Path: path, Err: err}
 	}
+
+	var oa objectAttributes
+	oa.Length = unsafe.Sizeof(oa)
+
+	var ntPath unicodeString
+	if err := rtlDosPathNameToNtPathName(&path16[0], &ntPath, 0, 0).Err(); err != nil {
+		return 0, &os.PathError{Op: "open", Path: path, Err: err}
+	}
+	defer localFree(ntPath.Buffer)
+	oa.ObjectName = &ntPath
+
+	// The security descriptor is only needed for the first pipe.
+	if first {
+		if sd != nil {
+			len := uint32(len(sd))
+			sdb := localAlloc(0, len)
+			defer localFree(sdb)
+			copy((*[0xffff]byte)(unsafe.Pointer(sdb))[:], sd)
+			oa.SecurityDescriptor = (*securityDescriptor)(unsafe.Pointer(sdb))
+		} else {
+			// Construct the default named pipe security descriptor.
+			var dacl uintptr
+			if err := rtlDefaultNpAcl(&dacl).Err(); err != nil {
+				return 0, fmt.Errorf("getting default named pipe ACL: %s", err)
+			}
+			defer localFree(dacl)
+
+			sdb := &securityDescriptor{
+				Revision: 1,
+				Control:  cSE_DACL_PRESENT,
+				Dacl:     dacl,
+			}
+			oa.SecurityDescriptor = sdb
+		}
+	}
+
+	typ := uint32(cFILE_PIPE_REJECT_REMOTE_CLIENTS)
+	if c.MessageMode {
+		typ |= cFILE_PIPE_MESSAGE_TYPE
+	}
+
+	disposition := uint32(cFILE_OPEN)
+	access := uint32(syscall.GENERIC_READ | syscall.GENERIC_WRITE | syscall.SYNCHRONIZE)
+	if first {
+		disposition = cFILE_CREATE
+		// By not asking for read or write access, the named pipe file system
+		// will put this pipe into an initially disconnected state, blocking
+		// client connections until the next call with first == false.
+		access = syscall.SYNCHRONIZE
+	}
+
+	timeout := int64(-50 * 10000) // 50ms
+
+	var (
+		h    syscall.Handle
+		iosb ioStatusBlock
+	)
+	err = ntCreateNamedPipeFile(&h, access, &oa, &iosb, syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE, disposition, 0, typ, 0, 0, 0xffffffff, uint32(c.InputBufferSize), uint32(c.OutputBufferSize), &timeout).Err()
+	if err != nil {
+		return 0, &os.PathError{Op: "open", Path: path, Err: err}
+	}
+
+	runtime.KeepAlive(ntPath)
 	return h, nil
 }

 func (l *win32PipeListener) makeServerPipe() (*win32File, error) {
-	h, err := makeServerPipeHandle(l.path, l.securityDescriptor, &l.config, false)
+	h, err := makeServerPipeHandle(l.path, nil, &l.config, false)
 	if err != nil {
 		return nil, err
 	}
@ -341,32 +449,13 @@ func ListenPipe(path string, c *PipeConfig) (net.Listener, error) {
 	if err != nil {
 		return nil, err
 	}
-	// Create a client handle and connect it.  This results in the pipe
-	// instance always existing, so that clients see ERROR_PIPE_BUSY
-	// rather than ERROR_FILE_NOT_FOUND.  This ties the first instance
-	// up so that no other instances can be used.  This would have been
-	// cleaner if the Win32 API matched CreateFile with ConnectNamedPipe
-	// instead of CreateNamedPipe.  (Apparently created named pipes are
-	// considered to be in listening state regardless of whether any
-	// active calls to ConnectNamedPipe are outstanding.)
-	h2, err := createFile(path, 0, 0, nil, syscall.OPEN_EXISTING, cSECURITY_SQOS_PRESENT|cSECURITY_ANONYMOUS, 0)
-	if err != nil {
-		syscall.Close(h)
-		return nil, err
-	}
-	// Close the client handle. The server side of the instance will
-	// still be busy, leading to ERROR_PIPE_BUSY instead of
-	// ERROR_NOT_FOUND, as long as we don't close the server handle,
-	// or disconnect the client with DisconnectNamedPipe.
-	syscall.Close(h2)
 	l := &win32PipeListener{
-		firstHandle:        h,
-		path:               path,
-		securityDescriptor: sd,
-		config:             *c,
-		acceptCh:           make(chan (chan acceptResponse)),
-		closeCh:            make(chan int),
-		doneCh:             make(chan int),
+		firstHandle: h,
+		path:        path,
+		config:      *c,
+		acceptCh:    make(chan (chan acceptResponse)),
+		closeCh:     make(chan int),
+		doneCh:      make(chan int),
 	}
 	go l.listenerRoutine()
 	return l, nil
--- a/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
@ -1,4 +1,4 @@
-// MACHINE GENERATED BY 'go generate' COMMAND; DO NOT EDIT
+// Code generated by 'go generate'; DO NOT EDIT.

 package winio

@ -38,6 +38,7 @@ func errnoErr(e syscall.Errno) error {

 var (
 	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
+	modntdll    = windows.NewLazySystemDLL("ntdll.dll")
 	modadvapi32 = windows.NewLazySystemDLL("advapi32.dll")

 	procCancelIoEx                                           = modkernel32.NewProc("CancelIoEx")
@ -47,10 +48,13 @@ var (
 	procConnectNamedPipe                                     = modkernel32.NewProc("ConnectNamedPipe")
 	procCreateNamedPipeW                                     = modkernel32.NewProc("CreateNamedPipeW")
 	procCreateFileW                                          = modkernel32.NewProc("CreateFileW")
-	procWaitNamedPipeW                                       = modkernel32.NewProc("WaitNamedPipeW")
 	procGetNamedPipeInfo                                     = modkernel32.NewProc("GetNamedPipeInfo")
 	procGetNamedPipeHandleStateW                             = modkernel32.NewProc("GetNamedPipeHandleStateW")
 	procLocalAlloc                                           = modkernel32.NewProc("LocalAlloc")
+	procNtCreateNamedPipeFile                                = modntdll.NewProc("NtCreateNamedPipeFile")
+	procRtlNtStatusToDosErrorNoTeb                           = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb")
+	procRtlDosPathNameToNtPathName_U                         = modntdll.NewProc("RtlDosPathNameToNtPathName_U")
+	procRtlDefaultNpAcl                                      = modntdll.NewProc("RtlDefaultNpAcl")
 	procLookupAccountNameW                                   = modadvapi32.NewProc("LookupAccountNameW")
 	procConvertSidToStringSidW                               = modadvapi32.NewProc("ConvertSidToStringSidW")
 	procConvertStringSecurityDescriptorToSecurityDescriptorW = modadvapi32.NewProc("ConvertStringSecurityDescriptorToSecurityDescriptorW")
@ -176,27 +180,6 @@ func _createFile(name *uint16, access uint32, mode uint32, sa *syscall.SecurityA
 	return
 }

-func waitNamedPipe(name string, timeout uint32) (err error) {
-	var _p0 *uint16
-	_p0, err = syscall.UTF16PtrFromString(name)
-	if err != nil {
-		return
-	}
-	return _waitNamedPipe(_p0, timeout)
-}
-
-func _waitNamedPipe(name *uint16, timeout uint32) (err error) {
-	r1, _, e1 := syscall.Syscall(procWaitNamedPipeW.Addr(), 2, uintptr(unsafe.Pointer(name)), uintptr(timeout), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
 func getNamedPipeInfo(pipe syscall.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) {
 	r1, _, e1 := syscall.Syscall6(procGetNamedPipeInfo.Addr(), 5, uintptr(pipe), uintptr(unsafe.Pointer(flags)), uintptr(unsafe.Pointer(outSize)), uintptr(unsafe.Pointer(inSize)), uintptr(unsafe.Pointer(maxInstances)), 0)
 	if r1 == 0 {
@ -227,6 +210,32 @@ func localAlloc(uFlags uint32, length uint32) (ptr uintptr) {
 	return
 }

+func ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntstatus) {
+	r0, _, _ := syscall.Syscall15(procNtCreateNamedPipeFile.Addr(), 14, uintptr(unsafe.Pointer(pipe)), uintptr(access), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(share), uintptr(disposition), uintptr(options), uintptr(typ), uintptr(readMode), uintptr(completionMode), uintptr(maxInstances), uintptr(inboundQuota), uintptr(outputQuota), uintptr(unsafe.Pointer(timeout)), 0)
+	status = ntstatus(r0)
+	return
+}
+
+func rtlNtStatusToDosError(status ntstatus) (winerr error) {
+	r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(status), 0, 0)
+	if r0 != 0 {
+		winerr = syscall.Errno(r0)
+	}
+	return
+}
+
+func rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntstatus) {
+	r0, _, _ := syscall.Syscall6(procRtlDosPathNameToNtPathName_U.Addr(), 4, uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(ntName)), uintptr(filePart), uintptr(reserved), 0, 0)
+	status = ntstatus(r0)
+	return
+}
+
+func rtlDefaultNpAcl(dacl *uintptr) (status ntstatus) {
+	r0, _, _ := syscall.Syscall(procRtlDefaultNpAcl.Addr(), 1, uintptr(unsafe.Pointer(dacl)), 0, 0)
+	status = ntstatus(r0)
+	return
+}
+
 func lookupAccountName(systemName *uint16, accountName string, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) {
 	var _p0 *uint16
 	_p0, err = syscall.UTF16PtrFromString(accountName)
--- a/vendor/github.com/Microsoft/hcsshim/internal/guestrequest/types.go
+++ b/vendor/github.com/Microsoft/hcsshim/internal/guestrequest/types.go
@ -1,100 +0,0 @@
-package guestrequest
-
-import (
-	"github.com/Microsoft/hcsshim/internal/schema2"
-)
-
-// Arguably, many of these (at least CombinedLayers) should have been generated
-// by swagger.
-//
-// This will also change package name due to an inbound breaking change.
-
-// This class is used by a modify request to add or remove a combined layers
-// structure in the guest. For windows, the GCS applies a filter in ContainerRootPath
-// using the specified layers as the parent content. Ignores property ScratchPath
-// since the container path is already the scratch path. For linux, the GCS unions
-// the specified layers and ScratchPath together, placing the resulting union
-// filesystem at ContainerRootPath.
-type CombinedLayers struct {
-	ContainerRootPath string            `json:"ContainerRootPath,omitempty"`
-	Layers            []hcsschema.Layer `json:"Layers,omitempty"`
-	ScratchPath       string            `json:"ScratchPath,omitempty"`
-}
-
-// Defines the schema for hosted settings passed to GCS and/or OpenGCS
-
-// SCSI. Scratch space for remote file-system commands, or R/W layer for containers
-type LCOWMappedVirtualDisk struct {
-	MountPath  string `json:"MountPath,omitempty"` // /tmp/scratch for an LCOW utility VM being used as a service VM
-	Lun        uint8  `json:"Lun,omitempty"`
-	Controller uint8  `json:"Controller,omitempty"`
-	ReadOnly   bool   `json:"ReadOnly,omitempty"`
-}
-
-type WCOWMappedVirtualDisk struct {
-	ContainerPath string `json:"ContainerPath,omitempty"`
-	Lun           int32  `json:"Lun,omitempty"`
-}
-
-type LCOWMappedDirectory struct {
-	MountPath string `json:"MountPath,omitempty"`
-	Port      int32  `json:"Port,omitempty"`
-	ShareName string `json:"ShareName,omitempty"` // If empty not using ANames (not currently supported)
-	ReadOnly  bool   `json:"ReadOnly,omitempty"`
-}
-
-// Read-only layers over VPMem
-type LCOWMappedVPMemDevice struct {
-	DeviceNumber uint32 `json:"DeviceNumber,omitempty"`
-	MountPath    string `json:"MountPath,omitempty"` // /tmp/pN
-}
-
-type LCOWNetworkAdapter struct {
-	NamespaceID     string `json:",omitempty"`
-	ID              string `json:",omitempty"`
-	MacAddress      string `json:",omitempty"`
-	IPAddress       string `json:",omitempty"`
-	PrefixLength    uint8  `json:",omitempty"`
-	GatewayAddress  string `json:",omitempty"`
-	DNSSuffix       string `json:",omitempty"`
-	DNSServerList   string `json:",omitempty"`
-	EnableLowMetric bool   `json:",omitempty"`
-	EncapOverhead   uint16 `json:",omitempty"`
-}
-
-type ResourceType string
-
-const (
-	// These are constants for v2 schema modify guest requests.
-	ResourceTypeMappedDirectory   ResourceType = "MappedDirectory"
-	ResourceTypeMappedVirtualDisk ResourceType = "MappedVirtualDisk"
-	ResourceTypeNetwork           ResourceType = "Network"
-	ResourceTypeNetworkNamespace  ResourceType = "NetworkNamespace"
-	ResourceTypeCombinedLayers    ResourceType = "CombinedLayers"
-	ResourceTypeVPMemDevice       ResourceType = "VPMemDevice"
-)
-
-// GuestRequest is for modify commands passed to the guest.
-type GuestRequest struct {
-	RequestType  string       `json:"RequestType,omitempty"`
-	ResourceType ResourceType `json:"ResourceType,omitempty"`
-	Settings     interface{}  `json:"Settings,omitempty"`
-}
-
-type NetworkModifyRequest struct {
-	AdapterId   string      `json:"AdapterId,omitempty"`
-	RequestType string      `json:"RequestType,omitempty"`
-	Settings    interface{} `json:"Settings,omitempty"`
-}
-
-type RS4NetworkModifyRequest struct {
-	AdapterInstanceId string      `json:"AdapterInstanceId,omitempty"`
-	RequestType       string      `json:"RequestType,omitempty"`
-	Settings          interface{} `json:"Settings,omitempty"`
-}
-
-// SignalProcessOptions is the options passed to either WCOW or LCOW
-// to signal a given process.
-type SignalProcessOptions struct {
-	Signal int `json:,omitempty`
-}
--- a/vendor/github.com/Microsoft/hcsshim/internal/hcs/callback.go
+++ b/vendor/github.com/Microsoft/hcsshim/internal/hcs/callback.go
@ -1,10 +1,12 @@
 package hcs

 import (
+	"fmt"
 	"sync"
 	"syscall"

 	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/Microsoft/hcsshim/internal/logfields"
 	"github.com/sirupsen/logrus"
 )

@ -40,16 +42,61 @@ var (
 )

 type hcsNotification uint32
+
+func (hn hcsNotification) String() string {
+	switch hn {
+	case hcsNotificationSystemExited:
+		return "SystemExited"
+	case hcsNotificationSystemCreateCompleted:
+		return "SystemCreateCompleted"
+	case hcsNotificationSystemStartCompleted:
+		return "SystemStartCompleted"
+	case hcsNotificationSystemPauseCompleted:
+		return "SystemPauseCompleted"
+	case hcsNotificationSystemResumeCompleted:
+		return "SystemResumeCompleted"
+	case hcsNotificationSystemCrashReport:
+		return "SystemCrashReport"
+	case hcsNotificationSystemSiloJobCreated:
+		return "SystemSiloJobCreated"
+	case hcsNotificationSystemSaveCompleted:
+		return "SystemSaveCompleted"
+	case hcsNotificationSystemRdpEnhancedModeStateChanged:
+		return "SystemRdpEnhancedModeStateChanged"
+	case hcsNotificationSystemShutdownFailed:
+		return "SystemShutdownFailed"
+	case hcsNotificationSystemGetPropertiesCompleted:
+		return "SystemGetPropertiesCompleted"
+	case hcsNotificationSystemModifyCompleted:
+		return "SystemModifyCompleted"
+	case hcsNotificationSystemCrashInitiated:
+		return "SystemCrashInitiated"
+	case hcsNotificationSystemGuestConnectionClosed:
+		return "SystemGuestConnectionClosed"
+	case hcsNotificationProcessExited:
+		return "ProcessExited"
+	case hcsNotificationInvalid:
+		return "Invalid"
+	case hcsNotificationServiceDisconnect:
+		return "ServiceDisconnect"
+	default:
+		return fmt.Sprintf("Unknown: %d", hn)
+	}
+}
+
 type notificationChannel chan error

 type notifcationWatcherContext struct {
 	channels notificationChannels
 	handle   hcsCallback
+
+	systemID  string
+	processID int
 }

 type notificationChannels map[hcsNotification]notificationChannel

-func newChannels() notificationChannels {
+func newSystemChannels() notificationChannels {
 	channels := make(notificationChannels)

 	channels[hcsNotificationSystemExited] = make(notificationChannel, 1)
@ -57,17 +104,14 @@ func newChannels() notificationChannels {
 	channels[hcsNotificationSystemStartCompleted] = make(notificationChannel, 1)
 	channels[hcsNotificationSystemPauseCompleted] = make(notificationChannel, 1)
 	channels[hcsNotificationSystemResumeCompleted] = make(notificationChannel, 1)
+
+	return channels
+}
+
+func newProcessChannels() notificationChannels {
+	channels := make(notificationChannels)
+
 	channels[hcsNotificationProcessExited] = make(notificationChannel, 1)
-	channels[hcsNotificationServiceDisconnect] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemCrashReport] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemSiloJobCreated] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemSaveCompleted] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemRdpEnhancedModeStateChanged] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemShutdownFailed] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemGetPropertiesCompleted] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemModifyCompleted] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemCrashInitiated] = make(notificationChannel, 1)
-	channels[hcsNotificationSystemGuestConnectionClosed] = make(notificationChannel, 1)

 	return channels
 }
@ -92,12 +136,28 @@ func notificationWatcher(notificationType hcsNotification, callbackNumber uintpt
 		return 0
 	}

+	log := logrus.WithFields(logrus.Fields{
+		"notification-type": notificationType.String(),
+		"system-id":         context.systemID,
+	})
+	if context.processID != 0 {
+		log.Data[logfields.ProcessID] = context.processID
+	}
+	log.Debug("")
+
+	// The HCS notification system can grow overtime. We explicitly opt-in to
+	// the notifications we would like to handle, all others we simply return.
+	// This means that as it grows we don't have issues associated with new
+	// notification types the code didn't know about.
+	switch notificationType {
+	case hcsNotificationSystemExited, hcsNotificationSystemCreateCompleted, hcsNotificationSystemStartCompleted, hcsNotificationSystemPauseCompleted, hcsNotificationSystemResumeCompleted:
+	case hcsNotificationProcessExited:
+	default:
+		return 0
+	}
+
 	if channel, ok := context.channels[notificationType]; ok {
 		channel <- result
-	} else {
-		logrus.WithFields(logrus.Fields{
-			"notification-type": notificationType,
-		}).Warn("Received a callback of an unsupported type")
 	}

 	return 0
--- a/vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go
+++ b/vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go
@ -272,6 +272,13 @@ func IsNotSupported(err error) bool {
 		err == ErrVmcomputeUnknownMessage
 }

+// IsOperationInvalidState returns true when err is caused by
+// `ErrVmcomputeOperationInvalidState`.
+func IsOperationInvalidState(err error) bool {
+	err = getInnerError(err)
+	return err == ErrVmcomputeOperationInvalidState
+}
+
 func getInnerError(err error) error {
 	switch pe := err.(type) {
 	case nil:
--- a/vendor/github.com/Microsoft/hcsshim/internal/hcs/hcs.go
+++ b/vendor/github.com/Microsoft/hcsshim/internal/hcs/hcs.go
@ -27,7 +27,7 @@ import (
 //sys hcsOpenProcess(computeSystem hcsSystem, pid uint32, process *hcsProcess, result **uint16) (hr error) = vmcompute.HcsOpenProcess?
 //sys hcsCloseProcess(process hcsProcess) (hr error) = vmcompute.HcsCloseProcess?
 //sys hcsTerminateProcess(process hcsProcess, result **uint16) (hr error) = vmcompute.HcsTerminateProcess?
-//sys hcsSignalProcess(process hcsProcess, options string, result **uint16) (hr error) = vmcompute.HcsTerminateProcess?
+//sys hcsSignalProcess(process hcsProcess, options string, result **uint16) (hr error) = vmcompute.HcsSignalProcess?
 //sys hcsGetProcessInfo(process hcsProcess, processInformation *hcsProcessInformation, result **uint16) (hr error) = vmcompute.HcsGetProcessInfo?
 //sys hcsGetProcessProperties(process hcsProcess, processProperties **uint16, result **uint16) (hr error) = vmcompute.HcsGetProcessProperties?
 //sys hcsModifyProcess(process hcsProcess, settings string, result **uint16) (hr error) = vmcompute.HcsModifyProcess?
--- a/vendor/github.com/Microsoft/hcsshim/internal/hcs/process.go
+++ b/vendor/github.com/Microsoft/hcsshim/internal/hcs/process.go
@ -7,7 +7,6 @@ import (
 	"syscall"
 	"time"

-	"github.com/Microsoft/hcsshim/internal/guestrequest"
 	"github.com/Microsoft/hcsshim/internal/interop"
 	"github.com/Microsoft/hcsshim/internal/logfields"
 	"github.com/sirupsen/logrus"
@ -112,7 +111,11 @@ func (process *Process) logOperationEnd(operation string, err error) {
 }

 // Signal signals the process with `options`.
-func (process *Process) Signal(options guestrequest.SignalProcessOptions) (err error) {
+//
+// For LCOW `guestrequest.SignalProcessOptionsLCOW`.
+//
+// For WCOW `guestrequest.SignalProcessOptionsWCOW`.
+func (process *Process) Signal(options interface{}) (err error) {
 	process.handleLock.RLock()
 	defer process.handleLock.RUnlock()

@ -189,7 +192,7 @@ func (process *Process) Wait() (err error) {

 	<-process.waitBlock
 	if process.waitError != nil {
-		return makeProcessError(process, operation, err, nil)
+		return makeProcessError(process, operation, process.waitError, nil)
 	}
 	return nil
 }
@ -432,7 +435,9 @@ func (process *Process) Close() (err error) {

 func (process *Process) registerCallback() error {
 	context := &notifcationWatcherContext{
-		channels: newChannels(),
+		channels:  newProcessChannels(),
+		systemID:  process.SystemID(),
+		processID: process.processID,
 	}

 	callbackMapLock.Lock()
--- a/vendor/github.com/Microsoft/hcsshim/internal/hcs/system.go
+++ b/vendor/github.com/Microsoft/hcsshim/internal/hcs/system.go
@ -414,18 +414,19 @@ func (computeSystem *System) Properties(types ...schema1.PropertyType) (_ *schem
 	computeSystem.logOperationBegin(operation)
 	defer func() { computeSystem.logOperationEnd(operation, err) }()

-	queryj, err := json.Marshal(schema1.PropertyQuery{types})
+	queryBytes, err := json.Marshal(schema1.PropertyQuery{PropertyTypes: types})
 	if err != nil {
 		return nil, makeSystemError(computeSystem, "Properties", "", err, nil)
 	}

+	queryString := string(queryBytes)
 	logrus.WithFields(computeSystem.logctx).
-		WithField(logfields.JSON, queryj).
+		WithField(logfields.JSON, queryString).
 		Debug("HCS ComputeSystem Properties Query")

 	var resultp, propertiesp *uint16
 	syscallWatcher(computeSystem.logctx, func() {
-		err = hcsGetComputeSystemProperties(computeSystem.handle, string(queryj), &propertiesp, &resultp)
+		err = hcsGetComputeSystemProperties(computeSystem.handle, string(queryString), &propertiesp, &resultp)
 	})
 	events := processHcsResult(resultp)
 	if err != nil {
@ -625,7 +626,8 @@ func (computeSystem *System) Close() (err error) {

 func (computeSystem *System) registerCallback() error {
 	context := &notifcationWatcherContext{
-		channels: newChannels(),
+		channels: newSystemChannels(),
+		systemID: computeSystem.id,
 	}

 	callbackMapLock.Lock()
--- a/vendor/github.com/Microsoft/hcsshim/internal/hcs/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/hcsshim/internal/hcs/zsyscall_windows.go
@ -56,13 +56,13 @@ var (
 	procHcsOpenProcess                     = modvmcompute.NewProc("HcsOpenProcess")
 	procHcsCloseProcess                    = modvmcompute.NewProc("HcsCloseProcess")
 	procHcsTerminateProcess                = modvmcompute.NewProc("HcsTerminateProcess")
-
-	procHcsGetProcessInfo            = modvmcompute.NewProc("HcsGetProcessInfo")
-	procHcsGetProcessProperties      = modvmcompute.NewProc("HcsGetProcessProperties")
-	procHcsModifyProcess             = modvmcompute.NewProc("HcsModifyProcess")
-	procHcsGetServiceProperties      = modvmcompute.NewProc("HcsGetServiceProperties")
-	procHcsRegisterProcessCallback   = modvmcompute.NewProc("HcsRegisterProcessCallback")
-	procHcsUnregisterProcessCallback = modvmcompute.NewProc("HcsUnregisterProcessCallback")
+	procHcsSignalProcess                   = modvmcompute.NewProc("HcsSignalProcess")
+	procHcsGetProcessInfo                  = modvmcompute.NewProc("HcsGetProcessInfo")
+	procHcsGetProcessProperties            = modvmcompute.NewProc("HcsGetProcessProperties")
+	procHcsModifyProcess                   = modvmcompute.NewProc("HcsModifyProcess")
+	procHcsGetServiceProperties            = modvmcompute.NewProc("HcsGetServiceProperties")
+	procHcsRegisterProcessCallback         = modvmcompute.NewProc("HcsRegisterProcessCallback")
+	procHcsUnregisterProcessCallback       = modvmcompute.NewProc("HcsUnregisterProcessCallback")
 )

 func hcsEnumerateComputeSystems(query string, computeSystems **uint16, result **uint16) (hr error) {
@ -417,10 +417,10 @@ func hcsSignalProcess(process hcsProcess, options string, result **uint16) (hr e
 }

 func _hcsSignalProcess(process hcsProcess, options *uint16, result **uint16) (hr error) {
-	if hr = procHcsTerminateProcess.Find(); hr != nil {
+	if hr = procHcsSignalProcess.Find(); hr != nil {
 		return
 	}
-	r0, _, _ := syscall.Syscall(procHcsTerminateProcess.Addr(), 3, uintptr(process), uintptr(unsafe.Pointer(options)), uintptr(unsafe.Pointer(result)))
+	r0, _, _ := syscall.Syscall(procHcsSignalProcess.Addr(), 3, uintptr(process), uintptr(unsafe.Pointer(options)), uintptr(unsafe.Pointer(result)))
 	if int32(r0) < 0 {
 		if r0&0x1fff0000 == 0x00070000 {
 			r0 &= 0xffff
--- a/vendor/github.com/Microsoft/hcsshim/osversion/osversion_windows.go
+++ b/vendor/github.com/Microsoft/hcsshim/osversion/osversion_windows.go
@ -0,0 +1,51 @@
+package osversion
+
+import (
+	"fmt"
+
+	"golang.org/x/sys/windows"
+)
+
+// OSVersion is a wrapper for Windows version information
+// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx
+type OSVersion struct {
+	Version      uint32
+	MajorVersion uint8
+	MinorVersion uint8
+	Build        uint16
+}
+
+// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx
+type osVersionInfoEx struct {
+	OSVersionInfoSize uint32
+	MajorVersion      uint32
+	MinorVersion      uint32
+	BuildNumber       uint32
+	PlatformID        uint32
+	CSDVersion        [128]uint16
+	ServicePackMajor  uint16
+	ServicePackMinor  uint16
+	SuiteMask         uint16
+	ProductType       byte
+	Reserve           byte
+}
+
+// Get gets the operating system version on Windows.
+// The calling application must be manifested to get the correct version information.
+func Get() OSVersion {
+	var err error
+	osv := OSVersion{}
+	osv.Version, err = windows.GetVersion()
+	if err != nil {
+		// GetVersion never fails.
+		panic(err)
+	}
+	osv.MajorVersion = uint8(osv.Version & 0xFF)
+	osv.MinorVersion = uint8(osv.Version >> 8 & 0xFF)
+	osv.Build = uint16(osv.Version >> 16)
+	return osv
+}
+
+func (osv OSVersion) ToString() string {
+	return fmt.Sprintf("%d.%d.%d", osv.MajorVersion, osv.MinorVersion, osv.Build)
+}
--- a/vendor/github.com/Microsoft/hcsshim/osversion/windowsbuilds.go
+++ b/vendor/github.com/Microsoft/hcsshim/osversion/windowsbuilds.go
@ -0,0 +1,23 @@
+package osversion
+
+const (
+	// RS1 (version 1607, codename "Redstone 1") corresponds to Windows Server
+	// 2016 (ltsc2016) and Windows 10 (Anniversary Update).
+	RS1 = 14393
+
+	// RS2 (version 1703, codename "Redstone 2") was a client-only update, and
+	// corresponds to Windows 10 (Creators Update).
+	RS2 = 15063
+
+	// RS3 (version 1709, codename "Redstone 3") corresponds to Windows Server
+	// 1709 (Semi-Annual Channel (SAC)), and Windows 10 (Fall Creators Update).
+	RS3 = 16299
+
+	// RS4 (version 1803, codename "Redstone 4") corresponds to Windows Server
+	// 1809 (Semi-Annual Channel (SAC)), and Windows 10 (April 2018 Update).
+	RS4 = 17134
+
+	// RS5 (version 1809, codename "Redstone 5") corresponds to Windows Server
+	// 2019 (ltsc2019), and Windows 10 (October 2018 Update).
+	RS5 = 17763
+)
--- a/vendor/github.com/Microsoft/hcsshim/vendor.conf
+++ b/vendor/github.com/Microsoft/hcsshim/vendor.conf
@ -10,7 +10,7 @@ github.com/hashicorp/errwrap 7554cd9344cec97297fa6649b055a8c98c2a1e55
 github.com/hashicorp/go-multierror ed905158d87462226a13fe39ddf685ea65f1c11f
 github.com/konsorten/go-windows-terminal-sequences v1.0.1
 github.com/linuxkit/virtsock 8e79449dea0735c1c056d814934dd035734cc97c
-github.com/Microsoft/go-winio c599b533b43b1363d7d7c6cfda5ede70ed73ff13
+github.com/Microsoft/go-winio 84b4ab48a50763fe7b3abcef38e5205c12027fac
 github.com/Microsoft/opengcs v0.3.9
 github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7
 github.com/opencontainers/runc 12f6a991201fdb8f82579582d5e00e28fba06d0a
--- a/vendor/github.com/containerd/continuity/LICENSE
+++ b/vendor/github.com/containerd/continuity/LICENSE
@ -1,6 +1,7 @@
+
                                 Apache License
                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/

   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

@ -175,28 +176,16 @@

   END OF TERMS AND CONDITIONS

-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright {yyyy} {name of copyright owner}
+   Copyright The containerd Authors

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

-       http://www.apache.org/licenses/LICENSE-2.0
+       https://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
-
--- a/vendor/github.com/containerd/continuity/README.md
+++ b/vendor/github.com/containerd/continuity/README.md
@ -72,3 +72,13 @@ If you change the proto file you will need to rebuild the generated Go with `go
 ```console
 $ go generate ./proto
 ```
+
+## Project details
+
+continuity is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
+As a containerd sub-project, you will find the:
+ * [Project governance](https://github.com/containerd/project/blob/master/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/master/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/master/CONTRIBUTING.md)
+
+information in our [`containerd/project`](https://github.com/containerd/project) repository.
--- a/vendor/github.com/containerd/continuity/fs/copy.go
+++ b/vendor/github.com/containerd/continuity/fs/copy.go
@ -32,14 +32,49 @@ var bufferPool = &sync.Pool{
 	},
 }

-// CopyDir copies the directory from src to dst.
-// Most efficient copy of files is attempted.
-func CopyDir(dst, src string) error {
-	inodes := map[uint64]string{}
-	return copyDirectory(dst, src, inodes)
+// XAttrErrorHandlers transform a non-nil xattr error.
+// Return nil to ignore an error.
+// xattrKey can be empty for listxattr operation.
+type XAttrErrorHandler func(dst, src, xattrKey string, err error) error
+
+type copyDirOpts struct {
+	xeh XAttrErrorHandler
 }

-func copyDirectory(dst, src string, inodes map[uint64]string) error {
+type CopyDirOpt func(*copyDirOpts) error
+
+// WithXAttrErrorHandler allows specifying XAttrErrorHandler
+// If nil XAttrErrorHandler is specified (default), CopyDir stops
+// on a non-nil xattr error.
+func WithXAttrErrorHandler(xeh XAttrErrorHandler) CopyDirOpt {
+	return func(o *copyDirOpts) error {
+		o.xeh = xeh
+		return nil
+	}
+}
+
+// WithAllowXAttrErrors allows ignoring xattr errors.
+func WithAllowXAttrErrors() CopyDirOpt {
+	xeh := func(dst, src, xattrKey string, err error) error {
+		return nil
+	}
+	return WithXAttrErrorHandler(xeh)
+}
+
+// CopyDir copies the directory from src to dst.
+// Most efficient copy of files is attempted.
+func CopyDir(dst, src string, opts ...CopyDirOpt) error {
+	var o copyDirOpts
+	for _, opt := range opts {
+		if err := opt(&o); err != nil {
+			return err
+		}
+	}
+	inodes := map[uint64]string{}
+	return copyDirectory(dst, src, inodes, &o)
+}
+
+func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) error {
 	stat, err := os.Stat(src)
 	if err != nil {
 		return errors.Wrapf(err, "failed to stat %s", src)
@ -75,7 +110,7 @@ func copyDirectory(dst, src string, inodes map[uint64]string) error {

 		switch {
 		case fi.IsDir():
-			if err := copyDirectory(target, source, inodes); err != nil {
+			if err := copyDirectory(target, source, inodes, o); err != nil {
 				return err
 			}
 			continue
@ -111,7 +146,7 @@ func copyDirectory(dst, src string, inodes map[uint64]string) error {
 			return errors.Wrap(err, "failed to copy file info")
 		}

-		if err := copyXAttrs(target, source); err != nil {
+		if err := copyXAttrs(target, source, o.xeh); err != nil {
 			return errors.Wrap(err, "failed to copy xattrs")
 		}
 	}
--- a/vendor/github.com/containerd/continuity/fs/copy_linux.go
+++ b/vendor/github.com/containerd/continuity/fs/copy_linux.go
@ -59,6 +59,8 @@ func copyFileInfo(fi os.FileInfo, name string) error {
 	return nil
 }

+const maxSSizeT = int64(^uint(0) >> 1)
+
 func copyFileContent(dst, src *os.File) error {
 	st, err := src.Stat()
 	if err != nil {
@ -71,7 +73,16 @@ func copyFileContent(dst, src *os.File) error {
 	dstFd := int(dst.Fd())

 	for size > 0 {
-		n, err := unix.CopyFileRange(srcFd, nil, dstFd, nil, int(size), 0)
+		// Ensure that we are never trying to copy more than SSIZE_MAX at a
+		// time and at the same time avoids overflows when the file is larger
+		// than 4GB on 32-bit systems.
+		var copySize int
+		if size > maxSSizeT {
+			copySize = int(maxSSizeT)
+		} else {
+			copySize = int(size)
+		}
+		n, err := unix.CopyFileRange(srcFd, nil, dstFd, nil, copySize, 0)
 		if err != nil {
 			if (err != unix.ENOSYS && err != unix.EXDEV) || !first {
 				return errors.Wrap(err, "copy file range failed")
@ -90,18 +101,34 @@ func copyFileContent(dst, src *os.File) error {
 	return nil
 }

-func copyXAttrs(dst, src string) error {
+func copyXAttrs(dst, src string, xeh XAttrErrorHandler) error {
 	xattrKeys, err := sysx.LListxattr(src)
 	if err != nil {
-		return errors.Wrapf(err, "failed to list xattrs on %s", src)
+		e := errors.Wrapf(err, "failed to list xattrs on %s", src)
+		if xeh != nil {
+			e = xeh(dst, src, "", e)
+		}
+		return e
 	}
 	for _, xattr := range xattrKeys {
 		data, err := sysx.LGetxattr(src, xattr)
 		if err != nil {
-			return errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src)
+			e := errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src)
+			if xeh != nil {
+				if e = xeh(dst, src, xattr, e); e == nil {
+					continue
+				}
+			}
+			return e
 		}
 		if err := sysx.LSetxattr(dst, xattr, data, 0); err != nil {
-			return errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst)
+			e := errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst)
+			if xeh != nil {
+				if e = xeh(dst, src, xattr, e); e == nil {
+					continue
+				}
+			}
+			return e
 		}
 	}

--- a/vendor/github.com/containerd/continuity/fs/copy_unix.go
+++ b/vendor/github.com/containerd/continuity/fs/copy_unix.go
@ -69,18 +69,34 @@ func copyFileContent(dst, src *os.File) error {
 	return err
 }

-func copyXAttrs(dst, src string) error {
+func copyXAttrs(dst, src string, xeh XAttrErrorHandler) error {
 	xattrKeys, err := sysx.LListxattr(src)
 	if err != nil {
-		return errors.Wrapf(err, "failed to list xattrs on %s", src)
+		e := errors.Wrapf(err, "failed to list xattrs on %s", src)
+		if xeh != nil {
+			e = xeh(dst, src, "", e)
+		}
+		return e
 	}
 	for _, xattr := range xattrKeys {
 		data, err := sysx.LGetxattr(src, xattr)
 		if err != nil {
-			return errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src)
+			e := errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src)
+			if xeh != nil {
+				if e = xeh(dst, src, xattr, e); e == nil {
+					continue
+				}
+			}
+			return e
 		}
 		if err := sysx.LSetxattr(dst, xattr, data, 0); err != nil {
-			return errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst)
+			e := errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst)
+			if xeh != nil {
+				if e = xeh(dst, src, xattr, e); e == nil {
+					continue
+				}
+			}
+			return e
 		}
 	}

--- a/vendor/github.com/containerd/continuity/fs/copy_windows.go
+++ b/vendor/github.com/containerd/continuity/fs/copy_windows.go
@ -40,7 +40,7 @@ func copyFileContent(dst, src *os.File) error {
 	return err
 }

-func copyXAttrs(dst, src string) error {
+func copyXAttrs(dst, src string, xeh XAttrErrorHandler) error {
 	return nil
 }

--- a/vendor/github.com/containerd/fifo/raw.go
+++ b/vendor/github.com/containerd/fifo/raw.go
@ -0,0 +1,116 @@
+// +build go1.12
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package fifo
+
+import (
+	"syscall"
+
+	"github.com/pkg/errors"
+)
+
+// SyscallConn provides raw access to the fifo's underlying filedescrptor.
+// See syscall.Conn for guarentees provided by this interface.
+func (f *fifo) SyscallConn() (syscall.RawConn, error) {
+	// deterministic check for closed
+	select {
+	case <-f.closed:
+		return nil, errors.New("fifo closed")
+	default:
+	}
+
+	select {
+	case <-f.closed:
+		return nil, errors.New("fifo closed")
+	case <-f.opened:
+		return f.file.SyscallConn()
+	default:
+	}
+
+	// Not opened and not closed, this means open is non-blocking AND it's not open yet
+	// Use rawConn to deal with non-blocking open.
+	rc := &rawConn{f: f, ready: make(chan struct{})}
+	go func() {
+		select {
+		case <-f.closed:
+			return
+		case <-f.opened:
+			rc.raw, rc.err = f.file.SyscallConn()
+			close(rc.ready)
+		}
+	}()
+
+	return rc, nil
+}
+
+type rawConn struct {
+	f     *fifo
+	ready chan struct{}
+	raw   syscall.RawConn
+	err   error
+}
+
+func (r *rawConn) Control(f func(fd uintptr)) error {
+	select {
+	case <-r.f.closed:
+		return errors.New("control of closed fifo")
+	case <-r.ready:
+	}
+
+	if r.err != nil {
+		return r.err
+	}
+
+	return r.raw.Control(f)
+}
+
+func (r *rawConn) Read(f func(fd uintptr) (done bool)) error {
+	if r.f.flag&syscall.O_WRONLY > 0 {
+		return errors.New("reading from write-only fifo")
+	}
+
+	select {
+	case <-r.f.closed:
+		return errors.New("reading of a closed fifo")
+	case <-r.ready:
+	}
+
+	if r.err != nil {
+		return r.err
+	}
+
+	return r.raw.Read(f)
+}
+
+func (r *rawConn) Write(f func(fd uintptr) (done bool)) error {
+	if r.f.flag&(syscall.O_WRONLY|syscall.O_RDWR) == 0 {
+		return errors.New("writing to read-only fifo")
+	}
+
+	select {
+	case <-r.f.closed:
+		return errors.New("writing to a closed fifo")
+	case <-r.ready:
+	}
+
+	if r.err != nil {
+		return r.err
+	}
+
+	return r.raw.Write(f)
+}
--- a/vendor/github.com/containerd/fifo/readme.md
+++ b/vendor/github.com/containerd/fifo/readme.md
@ -1,6 +1,7 @@
 ### fifo

 [![Build Status](https://travis-ci.org/containerd/fifo.svg?branch=master)](https://travis-ci.org/containerd/fifo)
+[![codecov](https://codecov.io/gh/containerd/fifo/branch/master/graph/badge.svg)](https://codecov.io/gh/containerd/fifo)

 Go package for handling fifos in a sane way.

@ -30,3 +31,14 @@ func (f *fifo) Write(b []byte) (int, error)
 // before open(2) has returned and fifo was never opened.
 func (f *fifo) Close() error 
 ```
+
+## Project details
+
+The fifo is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
+As a containerd sub-project, you will find the:
+
+ * [Project governance](https://github.com/containerd/project/blob/master/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/master/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/master/CONTRIBUTING.md)
+
+information in our [`containerd/project`](https://github.com/containerd/project) repository.
--- a/vendor/github.com/containerd/typeurl/LICENSE
+++ b/vendor/github.com/containerd/typeurl/LICENSE
@ -1,6 +1,7 @@
+
                                 Apache License
                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/

   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

@ -175,24 +176,13 @@

   END OF TERMS AND CONDITIONS

-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
+   Copyright The containerd Authors

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

-       http://www.apache.org/licenses/LICENSE-2.0
+       https://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
--- a/vendor/github.com/containerd/typeurl/README.md
+++ b/vendor/github.com/containerd/typeurl/README.md
@ -7,3 +7,13 @@
 A Go package for managing the registration, marshaling, and unmarshaling of encoded types.

 This package helps when types are sent over a GRPC API and marshaled as a [protobuf.Any]().
+
+## Project details
+
+**typeurl** is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
+As a containerd sub-project, you will find the:
+ * [Project governance](https://github.com/containerd/project/blob/master/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/master/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/master/CONTRIBUTING.md)
+
+information in our [`containerd/project`](https://github.com/containerd/project) repository.
--- a/vendor/github.com/containerd/typeurl/doc.go
+++ b/vendor/github.com/containerd/typeurl/doc.go
@ -0,0 +1,83 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package typeurl
+
+// Package typeurl assists with managing the registration, marshaling, and
+// unmarshaling of types encoded as protobuf.Any.
+//
+// A protobuf.Any is a proto message that can contain any arbitrary data. It
+// consists of two components, a TypeUrl and a Value, and its proto definition
+// looks like this:
+//
+//   message Any {
+//     string type_url = 1;
+//     bytes value = 2;
+//   }
+//
+// The TypeUrl is used to distinguish the contents from other proto.Any
+// messages. This typeurl library manages these URLs to enable automagic
+// marshaling and unmarshaling of the contents.
+//
+// For example, consider this go struct:
+//
+//   type Foo struct {
+//     Field1 string
+//     Field2 string
+//   }
+//
+// To use typeurl, types must first be registered. This is typically done in
+// the init function
+//
+//   func init() {
+//      typeurl.Register(&Foo{}, "Foo")
+//   }
+//
+// This will register the type Foo with the url path "Foo". The arguments to
+// Register are variadic, and are used to construct a url path. Consider this
+// example, from the github.com/containerd/containerd/client package:
+//
+//   func init() {
+//     const prefix = "types.containerd.io"
+//     // register TypeUrls for commonly marshaled external types
+//     major := strconv.Itoa(specs.VersionMajor)
+//     typeurl.Register(&specs.Spec{}, prefix, "opencontainers/runtime-spec", major, "Spec")
+//     // this function has more Register calls, which are elided.
+//   }
+//
+// This registers several types under a more complex url, which ends up mapping
+// to `types.containerd.io/opencontainers/runtime-spec/1/Spec` (or some other
+// value for major).
+//
+// Once a type is registered, it can be marshaled to a proto.Any message simply
+// by calling `MarshalAny`, like this:
+//
+//   foo := &Foo{Field1: "value1", Field2: "value2"}
+//   anyFoo, err := typeurl.MarshalAny(foo)
+//
+// MarshalAny will resolve the correct URL for the type. If the type in
+// question implements the proto.Message interface, then it will be marshaled
+// as a proto message. Otherwise, it will be marshaled as json. This means that
+// typeurl will work on any arbitrary data, whether or not it has a proto
+// definition, as long as it can be serialized to json.
+//
+// To unmarshal, the process is simply inverse:
+//
+//   iface, err := typeurl.UnmarshalAny(anyFoo)
+//   foo := iface.(*Foo)
+//
+// The correct type is automatically chosen from the type registry, and the
+// returned interface can be cast straight to that type.
--- a/vendor/github.com/containerd/typeurl/types.go
+++ b/vendor/github.com/containerd/typeurl/types.go
@ -78,7 +78,10 @@ func Is(any *types.Any, v interface{}) bool {
 	return any.TypeUrl == url
 }

-// MarshalAny marshals the value v into an any with the correct TypeUrl
+// MarshalAny marshals the value v into an any with the correct TypeUrl.
+// If the provided object is already a proto.Any message, then it will be
+// returned verbatim. If it is of type proto.Message, it will be marshaled as a
+// protocol buffer. Otherwise, the object will be marshaled to json.
 func MarshalAny(v interface{}) (*types.Any, error) {
 	var marshal func(v interface{}) ([]byte, error)
 	switch t := v.(type) {
--- a/vendor/github.com/davecgh/go-spew/LICENSE
+++ b/vendor/github.com/davecgh/go-spew/LICENSE
@ -2,7 +2,7 @@ ISC License

 Copyright (c) 2012-2016 Dave Collins <dave@davec.name>

-Permission to use, copy, modify, and distribute this software for any
+Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
 copyright notice and this permission notice appear in all copies.

--- a/vendor/github.com/davecgh/go-spew/README.md
+++ b/vendor/github.com/davecgh/go-spew/README.md
@ -1,12 +1,9 @@
 go-spew
 =======

-[![Build Status](https://img.shields.io/travis/davecgh/go-spew.svg)]
-(https://travis-ci.org/davecgh/go-spew) [![ISC License]
-(http://img.shields.io/badge/license-ISC-blue.svg)](http://copyfree.org) [![Coverage Status]
-(https://img.shields.io/coveralls/davecgh/go-spew.svg)]
-(https://coveralls.io/r/davecgh/go-spew?branch=master)
-
+[![Build Status](https://img.shields.io/travis/davecgh/go-spew.svg)](https://travis-ci.org/davecgh/go-spew)
+[![ISC License](http://img.shields.io/badge/license-ISC-blue.svg)](http://copyfree.org)
+[![Coverage Status](https://img.shields.io/coveralls/davecgh/go-spew.svg)](https://coveralls.io/r/davecgh/go-spew?branch=master)

 Go-spew implements a deep pretty printer for Go data structures to aid in
 debugging.  A comprehensive suite of tests with 100% test coverage is provided
@ -21,8 +18,7 @@ post about it

 ## Documentation

-[![GoDoc](https://img.shields.io/badge/godoc-reference-blue.svg)]
-(http://godoc.org/github.com/davecgh/go-spew/spew)
+[![GoDoc](https://img.shields.io/badge/godoc-reference-blue.svg)](http://godoc.org/github.com/davecgh/go-spew/spew)

 Full `go doc` style documentation for the project can be viewed online without
 installing this package by using the excellent GoDoc site here:
--- a/vendor/github.com/davecgh/go-spew/spew/bypass.go
+++ b/vendor/github.com/davecgh/go-spew/spew/bypass.go
@ -16,7 +16,9 @@
 // when the code is not running on Google App Engine, compiled by GopherJS, and
 // "-tags safe" is not added to the go build command line.  The "disableunsafe"
 // tag is deprecated and thus should not be used.
-// +build !js,!appengine,!safe,!disableunsafe
+// Go versions prior to 1.4 are disabled because they use a different layout
+// for interfaces which make the implementation of unsafeReflectValue more complex.
+// +build !js,!appengine,!safe,!disableunsafe,go1.4

 package spew

@ -34,80 +36,49 @@ const (
 	ptrSize = unsafe.Sizeof((*byte)(nil))
 )

-var (
-	// offsetPtr, offsetScalar, and offsetFlag are the offsets for the
-	// internal reflect.Value fields.  These values are valid before golang
-	// commit ecccf07e7f9d which changed the format.  The are also valid
-	// after commit 82f48826c6c7 which changed the format again to mirror
-	// the original format.  Code in the init function updates these offsets
-	// as necessary.
-	offsetPtr    = uintptr(ptrSize)
-	offsetScalar = uintptr(0)
-	offsetFlag   = uintptr(ptrSize * 2)
+type flag uintptr

-	// flagKindWidth and flagKindShift indicate various bits that the
-	// reflect package uses internally to track kind information.
-	//
-	// flagRO indicates whether or not the value field of a reflect.Value is
-	// read-only.
-	//
-	// flagIndir indicates whether the value field of a reflect.Value is
-	// the actual data or a pointer to the data.
-	//
-	// These values are valid before golang commit 90a7c3c86944 which
-	// changed their positions.  Code in the init function updates these
-	// flags as necessary.
-	flagKindWidth = uintptr(5)
-	flagKindShift = uintptr(flagKindWidth - 1)
-	flagRO        = uintptr(1 << 0)
-	flagIndir     = uintptr(1 << 1)
+var (
+	// flagRO indicates whether the value field of a reflect.Value
+	// is read-only.
+	flagRO flag
+
+	// flagAddr indicates whether the address of the reflect.Value's
+	// value may be taken.
+	flagAddr flag
 )

-func init() {
-	// Older versions of reflect.Value stored small integers directly in the
-	// ptr field (which is named val in the older versions).  Versions
-	// between commits ecccf07e7f9d and 82f48826c6c7 added a new field named
-	// scalar for this purpose which unfortunately came before the flag
-	// field, so the offset of the flag field is different for those
-	// versions.
-	//
-	// This code constructs a new reflect.Value from a known small integer
-	// and checks if the size of the reflect.Value struct indicates it has
-	// the scalar field. When it does, the offsets are updated accordingly.
-	vv := reflect.ValueOf(0xf00)
-	if unsafe.Sizeof(vv) == (ptrSize * 4) {
-		offsetScalar = ptrSize * 2
-		offsetFlag = ptrSize * 3
-	}
+// flagKindMask holds the bits that make up the kind
+// part of the flags field. In all the supported versions,
+// it is in the lower 5 bits.
+const flagKindMask = flag(0x1f)

-	// Commit 90a7c3c86944 changed the flag positions such that the low
-	// order bits are the kind.  This code extracts the kind from the flags
-	// field and ensures it's the correct type.  When it's not, the flag
-	// order has been changed to the newer format, so the flags are updated
-	// accordingly.
-	upf := unsafe.Pointer(uintptr(unsafe.Pointer(&vv)) + offsetFlag)
-	upfv := *(*uintptr)(upf)
-	flagKindMask := uintptr((1<<flagKindWidth - 1) << flagKindShift)
-	if (upfv&flagKindMask)>>flagKindShift != uintptr(reflect.Int) {
-		flagKindShift = 0
-		flagRO = 1 << 5
-		flagIndir = 1 << 6
+// Different versions of Go have used different
+// bit layouts for the flags type. This table
+// records the known combinations.
+var okFlags = []struct {
+	ro, addr flag
+}{{
+	// From Go 1.4 to 1.5
+	ro:   1 << 5,
+	addr: 1 << 7,
+}, {
+	// Up to Go tip.
+	ro:   1<<5 | 1<<6,
+	addr: 1 << 8,
+}}

-		// Commit adf9b30e5594 modified the flags to separate the
-		// flagRO flag into two bits which specifies whether or not the
-		// field is embedded.  This causes flagIndir to move over a bit
-		// and means that flagRO is the combination of either of the
-		// original flagRO bit and the new bit.
-		//
-		// This code detects the change by extracting what used to be
-		// the indirect bit to ensure it's set.  When it's not, the flag
-		// order has been changed to the newer format, so the flags are
-		// updated accordingly.
-		if upfv&flagIndir == 0 {
-			flagRO = 3 << 5
-			flagIndir = 1 << 7
-		}
+var flagValOffset = func() uintptr {
+	field, ok := reflect.TypeOf(reflect.Value{}).FieldByName("flag")
+	if !ok {
+		panic("reflect.Value has no flag field")
 	}
+	return field.Offset
+}()
+
+// flagField returns a pointer to the flag field of a reflect.Value.
+func flagField(v *reflect.Value) *flag {
+	return (*flag)(unsafe.Pointer(uintptr(unsafe.Pointer(v)) + flagValOffset))
 }

 // unsafeReflectValue converts the passed reflect.Value into a one that bypasses
@ -119,34 +90,56 @@ func init() {
 // This allows us to check for implementations of the Stringer and error
 // interfaces to be used for pretty printing ordinarily unaddressable and
 // inaccessible values such as unexported struct fields.
-func unsafeReflectValue(v reflect.Value) (rv reflect.Value) {
-	indirects := 1
-	vt := v.Type()
-	upv := unsafe.Pointer(uintptr(unsafe.Pointer(&v)) + offsetPtr)
-	rvf := *(*uintptr)(unsafe.Pointer(uintptr(unsafe.Pointer(&v)) + offsetFlag))
-	if rvf&flagIndir != 0 {
-		vt = reflect.PtrTo(v.Type())
-		indirects++
-	} else if offsetScalar != 0 {
-		// The value is in the scalar field when it's not one of the
-		// reference types.
-		switch vt.Kind() {
-		case reflect.Uintptr:
-		case reflect.Chan:
-		case reflect.Func:
-		case reflect.Map:
-		case reflect.Ptr:
-		case reflect.UnsafePointer:
-		default:
-			upv = unsafe.Pointer(uintptr(unsafe.Pointer(&v)) +
-				offsetScalar)
+func unsafeReflectValue(v reflect.Value) reflect.Value {
+	if !v.IsValid() || (v.CanInterface() && v.CanAddr()) {
+		return v
+	}
+	flagFieldPtr := flagField(&v)
+	*flagFieldPtr &^= flagRO
+	*flagFieldPtr |= flagAddr
+	return v
+}
+
+// Sanity checks against future reflect package changes
+// to the type or semantics of the Value.flag field.
+func init() {
+	field, ok := reflect.TypeOf(reflect.Value{}).FieldByName("flag")
+	if !ok {
+		panic("reflect.Value has no flag field")
+	}
+	if field.Type.Kind() != reflect.TypeOf(flag(0)).Kind() {
+		panic("reflect.Value flag field has changed kind")
+	}
+	type t0 int
+	var t struct {
+		A t0
+		// t0 will have flagEmbedRO set.
+		t0
+		// a will have flagStickyRO set
+		a t0
+	}
+	vA := reflect.ValueOf(t).FieldByName("A")
+	va := reflect.ValueOf(t).FieldByName("a")
+	vt0 := reflect.ValueOf(t).FieldByName("t0")
+
+	// Infer flagRO from the difference between the flags
+	// for the (otherwise identical) fields in t.
+	flagPublic := *flagField(&vA)
+	flagWithRO := *flagField(&va) | *flagField(&vt0)
+	flagRO = flagPublic ^ flagWithRO
+
+	// Infer flagAddr from the difference between a value
+	// taken from a pointer and not.
+	vPtrA := reflect.ValueOf(&t).Elem().FieldByName("A")
+	flagNoPtr := *flagField(&vA)
+	flagPtr := *flagField(&vPtrA)
+	flagAddr = flagNoPtr ^ flagPtr
+
+	// Check that the inferred flags tally with one of the known versions.
+	for _, f := range okFlags {
+		if flagRO == f.ro && flagAddr == f.addr {
+			return
 		}
 	}
-
-	pv := reflect.NewAt(vt, upv)
-	rv = pv
-	for i := 0; i < indirects; i++ {
-		rv = rv.Elem()
-	}
-	return rv
+	panic("reflect.Value read-only flag has changed semantics")
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Silvin Lubecki	f28d9cc929	Merge pull request #1846 from andrewhsu/v update vndr docker/docker ac48309 and related packages	2019-04-24 21:43:12 +02:00
Andrew Hsu	eb2bfeccf7	update vndr coreos/etcd d57e8b8 Signed-off-by: Andrew Hsu <andrewhsu@docker.com>	2019-04-24 18:29:33 +00:00
Andrew Hsu	c1a4fb4922	update vndr moby/buildkit 8818c67 Signed-off-by: Andrew Hsu <andrewhsu@docker.com>	2019-04-24 18:26:58 +00:00
Andrew Hsu	e243174b30	update vndr Microsoft/go-winio 84b4ab4 Signed-off-by: Andrew Hsu <andrewhsu@docker.com>	2019-04-24 18:24:26 +00:00
Andrew Hsu	af053bc278	update vndr Microsoft/hcsshim 672e52e Signed-off-by: Andrew Hsu <andrewhsu@docker.com>	2019-04-24 18:14:51 +00:00
Andrew Hsu	30cc5d96b3	update vndr docker/docker to ac48309 Signed-off-by: Andrew Hsu <andrewhsu@docker.com>	2019-04-24 18:10:45 +00:00
Tõnis Tiigi	70f48f2231	Merge pull request #1840 from tiborvass/cli-plugin-aliases cli-plugins: alias an existing allowed command (only builder for now)	2019-04-23 19:13:51 -07:00
Silvin Lubecki	9a0b171192	Merge pull request #1844 from thaJeztah/bump_go_units bump docker/go-units v0.4.0	2019-04-23 17:14:49 +02:00
Sebastiaan van Stijn	c94308fa99	bump docker/go-units v0.4.0 relevant changes: - docker/go-units#33 Fix handling of unlimited (-1) ulimit values - docker/go-units#34 Revert 46 minute threshold Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-23 17:01:07 +02:00
Tibor Vass	1ed02c40fe	cli-plugins: alias an existing allowed command (only builder for now) With this patch it is possible to alias an existing allowed command. At the moment only builder allows an alias. This also properly puts the build command under builder, instead of image where it was for historical reasons. Signed-off-by: Tibor Vass <tibor@docker.com>	2019-04-19 01:26:45 +00:00
Sebastiaan van Stijn	8ca1f0bb7d	Merge pull request #1715 from AkihiroSuda/fix-bastion commandconn: set SysProcAttr.Setsid (Fix DOCKER_HOST=ssh://host-behind-bastion)	2019-04-18 19:55:53 +02:00
Sebastiaan van Stijn	59952a0146	Merge pull request #1839 from thaJeztah/bump_engine3 bump docker/docker 92a6266c9d4f1bacbfb68d1c6b9c94f673d6cfde	2019-04-18 19:32:32 +02:00
Sebastiaan van Stijn	ba8388f052	bump github.com/davecgh/go-spew v1.1.1 full diff: https://github.com/davecgh/go-spew/compare/v1.1.0...v1.1.1 - davecgh/go-spew#79 simpler, more robust bypass Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-18 19:20:31 +02:00
Sebastiaan van Stijn	6a562c9b33	bump beorn7/perks e7f67b54abbeac9c40a31de0f81159e4cafebd6a no local changes Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-18 19:14:39 +02:00
Sebastiaan van Stijn	df4dc54374	bump docker/swarmkit 59163bf75df38489d4a10392265d27156dc473c5 full diff: `18e7e58ea1...59163bf75d` - Add missing return when configuring VXLAN port - Prevent possible panic in cnmallocator.IsAttachmentAllocated() - update github.com/pivotal-golang/clock - new name for package: code.cloudfoundry.org/clock Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-18 19:13:13 +02:00
Sebastiaan van Stijn	84dc462ea4	bump containerd/go-runc 7d11b49dc0769f6dbb0d1b19f3d48524d1bad9ad Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-18 19:12:10 +02:00
Sebastiaan van Stijn	ac234326a6	bump containerd/fifo a9fb20d87448d386e6d50b1f2e1fa70dcf0de43c - containerd/fifo#17 Expose underlying file's `SyscallConn` method Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-18 19:10:16 +02:00
Sebastiaan van Stijn	eeaa4e543a	bump syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 full diff: `2c00daeb6c...d98352740c` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-18 19:07:59 +02:00
Sebastiaan van Stijn	1962ec66bb	bump docker/docker 92a6266c9d4f1bacbfb68d1c6b9c94f673d6cfde full diff: `ed07e11528...92a6266c9d` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-18 19:06:05 +02:00
Sebastiaan van Stijn	d365225c32	Merge pull request #1838 from simonferquel/remove-context-in-function-names Remove "context" from context store interfaces function names	2019-04-18 18:38:01 +02:00
Sebastiaan van Stijn	fe19be2530	Merge pull request #1810 from albers/completion-buildkit Add BuildKit specific options to bash completion	2019-04-18 17:56:12 +02:00
Sebastiaan van Stijn	5ad82fafb3	Merge pull request #1829 from thaJeztah/bump_gotestsum_v0.3.4 bump gotestsum v0.3.4	2019-04-18 17:55:12 +02:00
Sebastiaan van Stijn	f99e0b00e9	Merge pull request #1828 from thaJeztah/bump_shlex bump github.com/google/shlex c34317bd91bf98fab745d77b03933cf8769299fe	2019-04-18 17:55:02 +02:00
Sebastiaan van Stijn	04751fd58e	Merge pull request #1830 from thaJeztah/use_google_shlex Switch to google/shlex	2019-04-18 17:53:37 +02:00
Sebastiaan van Stijn	438426e0fc	Merge pull request #1811 from thaJeztah/bump_grpc_1.12.2 bump google.golang.org/grpc v1.12.2	2019-04-18 17:49:19 +02:00
Sebastiaan van Stijn	71570160c1	Merge pull request #1826 from thaJeztah/bump_engine2 bump docker/docker ed07e1152879a4d156dff2e86abca3c4c811e743	2019-04-18 17:48:44 +02:00
Simon Ferquel	a3efd5d195	Cleanup context store interfaces This remove the term "context" from context store interfaces, to make them more concise Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>	2019-04-18 15:49:36 +02:00
Sebastiaan van Stijn	84b3805feb	Merge pull request #1836 from simonferquel/context-export-source Split the context store interface	2019-04-18 15:36:13 +02:00
Simon Ferquel	225c9b189a	Split the context store interface This is to make it easier to implement support for exporting contexts in 3rd party code, or to create mocks in tests. 2 exemples where it simplify things: - docker-app desktop-specific context decorator (which rewrites parts of the docker context to simplify UX when using on Docker Desktop contexts) - ucp for including a context in the connection bundle Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>	2019-04-18 15:03:46 +02:00
Sebastiaan van Stijn	552e8d1a73	Merge pull request #1832 from thaJeztah/bump_golang_1.12.4 Bump Golang 1.12.4	2019-04-18 01:53:53 +02:00
Tibor Vass	2432af701a	Merge pull request #1808 from martencassel/securityopt-systempaths-unconfined add cli integration for unconfined systempaths	2019-04-16 11:48:43 -07:00
Sebastiaan van Stijn	49bd6b729d	Merge pull request #1835 from dhiltgen/refined_login_warning Refine warning for storing registry passwords	2019-04-16 10:36:24 +02:00
Daniel Hiltgen	5b3f171482	Add unit test coverage for token auth Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com>	2019-04-15 16:13:55 -07:00
Silvin Lubecki	f02d94afbb	Merge pull request #1825 from thaJeztah/bump_gotest_2.3.0 bump gotest.tools v2.3.0	2019-04-15 11:56:37 +02:00
Vincent Demeester	c61435b9c7	Merge pull request #1834 from thaJeztah/end_of_upstream_packages vendor.conf: reserve space for downstream projects	2019-04-15 09:49:07 +02:00
Sebastiaan van Stijn	d043ab5993	Merge pull request #1823 from simonferquel/refactor-kubernetes-extras Regroup all kubernetes extra-fields under x-kubernetes	2019-04-14 22:59:41 +02:00
Daniel Hiltgen	80d2496f99	Refine warning for storing registry passwords This change refines the warning message returned during docker login to only warn for unencrypted storage when the users password is being stored. If the remote registry supports identity tokens, omit the warning, since those tokens can be independently managed and revoked. Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com>	2019-04-14 08:33:53 -07:00
Sebastiaan van Stijn	337a9611e2	bump gotestsum v0.3.4 https://github.com/gotestyourself/gotestsum/releases/tag/v0.3.4 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-14 16:51:12 +02:00
Sebastiaan van Stijn	8c5460a2cc	vendor.conf: reserve space for downstream projects This helps merge conflicts in situations where downstream projects have additional dependencies. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-14 16:21:12 +02:00
Sebastiaan van Stijn	cf47bb2cc2	Bump Golang 1.12.4 go1.12.4 (released 2019/04/11) fixes an issue where using the prebuilt binary releases on older versions of GNU/Linux led to failures when linking programs that used cgo. Only Linux users who hit this issue need to update. See golang/go#31293 for details Full diff: https://github.com/golang/go/compare/go1.12.3...go1.12.4 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-14 02:19:16 +02:00
Sebastiaan van Stijn	acb24f5164	Switch to google/shlex The github.com/flynn-archive/go-shlex package is a fork of Google/shlex, and the repository is now archived, so let's switch to the maintained version. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 17:51:15 +02:00
Sebastiaan van Stijn	c30e94533c	bump golang.org/x/sys 4b34438f7a67ee5f45cc6132e2bad873a20324e9 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 03:09:42 +02:00
Sebastiaan van Stijn	767fafdb32	bump golang.org/x/sync e225da77a7e68af35c70ccbf71af2b83e6acac3c Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 03:09:36 +02:00
Sebastiaan van Stijn	b6cee4567c	bump golang.org/x/net eb5bcb51f2a31c7d5141d810b70815c05d9c9146 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 03:09:33 +02:00
Sebastiaan van Stijn	34806a8b4c	bump golang.org/x/crypto 38d8ce5564a5b71b2e3a00553993f1b9a7ae852f Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 03:09:30 +02:00
Sebastiaan van Stijn	058f4337a4	bump opencontainers/runc v1.0.0-rc7-6-g029124da Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 03:09:27 +02:00
Sebastiaan van Stijn	a9c26efc3c	bump moby/buildkit b3028967ae6259c9a31c1a1deeccd30fe3469cce Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 03:09:24 +02:00
Sebastiaan van Stijn	9d37657f34	bump konsorten/go-windows-terminal-sequences 1.0.2 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 03:09:21 +02:00
Sebastiaan van Stijn	34e119e571	bump containerd/continuity 004b46473808b3e7a4a3049c20e4376c91eb966d Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 03:09:18 +02:00
Sebastiaan van Stijn	f07e16d42c	bump docker/docker ed07e1152879a4d156dff2e86abca3c4c811e743 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 03:09:15 +02:00
Sebastiaan van Stijn	40968111cc	bump github.com/google/shlex c34317bd91bf98fab745d77b03933cf8769299fe full diff: `6f45313302...c34317bd91` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 03:00:54 +02:00
Sebastiaan van Stijn	c8d685457b	bump gotest.tools v2.3.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-13 01:47:37 +02:00
Sebastiaan van Stijn	25e6a64e2a	bump google.golang.org/grpc v1.12.2 full diff: https://github.com/grpc/grpc-go/compare/v1.12.0...v1.12.2 - grpc/grpc-go#2074 transport/server: fix race between writing status and header - fix grpc/grpc-go#1972 Possible race sending headers from server while receiving message over size limit - grpc/grpc-go#2074 transport: account for user configured small io write buffer - fix grpc/grpc-go#2089 Server abruptly terminates connections if write buffer is small enough Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-12 20:46:34 +02:00
Brian Goff	58ec72afca	Merge pull request #1781 from dperny/swarm-credentialspec Support using swarm Configs as CredentialSpecs in Services.	2019-04-12 09:35:03 -07:00
Drew Erny	42ec51e1ae	add support for config credentialspecs to compose Signed-off-by: Drew Erny <drew.erny@docker.com>	2019-04-12 11:17:34 -05:00
Drew Erny	4cacd1304a	Add CredentialSpec tests Adds tests for setting and updating swarm service CredentialSpecs, especially when using a Config as a credential spec. Signed-off-by: Drew Erny <drew.erny@docker.com>	2019-04-12 11:17:34 -05:00
Drew Erny	01f4f2e80a	Update CredentialSpec code to allow using configs Updates the CredentialSpec handling code for services to allow using swarm Configs. Additionally, fixes a bug where the `--credential-spec` flag would not be respected on service updates. Signed-off-by: Drew Erny <drew.erny@docker.com>	2019-04-12 11:17:33 -05:00
Sebastiaan van Stijn	6511da877f	Add support for using Configs as CredentialSpecs in services Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-12 11:17:29 -05:00
Sebastiaan van Stijn	8b9cdab4e6	Merge pull request #1783 from sirlatrom/stack_compose_secret_driver Add driver field to top-level secret object	2019-04-12 18:15:36 +02:00
Simon Ferquel	e0f20fd86a	Regroup all kubernetes extra-fields under x-kubernetes This regroup all Kubernetes extra fields for compose-on-kubernetes v1alpha3 in a single x-kubernetes object. Also use the same naming scheme as cap_add etc. for fiels inside this object. Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>	2019-04-12 15:46:11 +02:00
Sebastiaan van Stijn	409c590fcf	Merge pull request #1815 from simonferquel/expose-to-internal-ports Support internal Load Balancing for Kubernetes stacks	2019-04-12 14:02:15 +02:00
Simon Ferquel	cad20c759f	Support internal Load Balancing for Kubernetes stacks On the server v0.4.21 has introduced a better way of dealing with intra-stack networking: if the user can specify a list of endpoints exposed internally, we now can setup a ClusterIP for this to avoid the pitfalls of DNS-based load balancing. This exposes the feature using the "Expose" compose field, and adds an extra x-internal-service-type field to explicitly define how intra-stack networking is handled on a service. Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>	2019-04-12 11:43:30 +02:00
Vincent Demeester	a125283e01	Merge pull request #1822 from thaJeztah/format_vendor Reformat vendor.conf and pin all deps by git-sha	2019-04-12 09:14:26 +02:00
Vincent Demeester	893f4a1194	Merge pull request #1818 from tao12345666333/bump-golang-1.12.3 Bump Golang 1.12.3	2019-04-12 09:10:23 +02:00
Sebastiaan van Stijn	9aa0d553c0	Sort vendor.conf alphabetically Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-12 01:33:10 +02:00
Sebastiaan van Stijn	6026ce4a8b	Reformat vendor.conf and pin all deps by git-sha To make it better readable, and to encourage pinning by sha, but "align" to a tagged release. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-12 01:31:04 +02:00
Jintao Zhang	c55c801faf	Bump Golang 1.12.3 Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>	2019-04-11 10:44:16 +08:00
Sebastiaan van Stijn	ac758d9f80	Merge pull request #1817 from simonferquel/docker-host-context-warning Add warnings when DOCKER_HOST conflicts with contexts	2019-04-10 15:01:20 +02:00
Simon Ferquel	1cefe057cd	Add warnings when DOCKER_HOST conflicts with contexts For clarity, on `docker context use` or `docker context ls`, this adds a warning if the DOCKER_HOST variable is set because it overrides the active context. Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>	2019-04-10 10:14:47 +02:00
Sebastiaan van Stijn	d6af3e143e	Merge pull request #1773 from zappy-shu/create-context-from-current add --from flag to context create	2019-04-09 16:38:46 +02:00
Brian Goff	f019bdcace	Merge pull request #1816 from thaJeztah/bump_golang_1.12.2 Bump Golang 1.12.2	2019-04-08 10:22:07 -07:00
Sebastiaan van Stijn	ed8733a940	Bump Golang 1.12.2 go1.12.2 (released 2019/04/05) includes fixes to the compiler, the go command, the runtime, and the doc, net, net/http/httputil, and os packages. See the Go 1.12.2 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.12.2 Full diff: https://github.com/golang/go/compare/go1.12.1...go1.12.2 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-04-08 18:53:12 +02:00
Harald Albers	7945010874	Add support for BuildKit specific options to bash completion Signed-off-by: Harald Albers <github@albersweb.de>	2019-04-05 23:27:12 +02:00
Mårten Cassel	5bc9f490a9	add cli integration for unconfined systempaths with unit test, implement suggested changes Signed-off-by: Mårten Cassel <marten.cassel@gmail.com>	2019-04-05 15:46:15 +02:00
Sune Keller	ed838bff1f	Add test case Signed-off-by: Sune Keller <absukl@almbrand.dk>	2019-04-05 12:01:21 +02:00
Sune Keller	c662ba03de	Make use of driver and driver_opts fields in secrets Signed-off-by: Sune Keller <absukl@almbrand.dk>	2019-04-05 12:01:21 +02:00
Sune Keller	89f9d806ff	Add driver and driver_opts to secret in compose schema 3.8 Signed-off-by: Sune Keller <absukl@almbrand.dk>	2019-04-05 12:01:21 +02:00
Nick Adcock	8bb152d967	add --from option to context create --from creates a context from a named context. By default `context create` will create a context from the current context. Replaced "from-current=" docker/kubernetes option with "from=" to allow specifying which context to copy the settings from. Signed-off-by: Nick Adcock <nick.adcock@docker.com>	2019-04-02 13:41:47 +01:00
Akihiro Suda	62a15c16fc	commandconn: set SysProcAttr.Setsid Setting `Setsid` is needed for SSH connection helper with `ProxyCommand` config, so as to detach TTY. e.g. $ cat ~/.ssh/config Host foo Hostname foo ProxyCommand ssh -W %h:%p bastion $ DOCKER_HOST=ssh://foo docker run -it --rm alpine / # Fix #1707 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>	2019-03-06 13:22:54 +09:00